# Flog Txt Version 1 # Analyzer Version: 3.2.1 # Analyzer Build Date: Jan 15 2020 08:26:44 # Log Creation Date: 20.01.2020 20:01:51.038 Process: id = "1" image_name = "cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe" filename = "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe" page_root = "0x10be6000" os_pid = "0xaac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x740" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xe28 [0066.465] GetModuleHandleA (lpModuleName=0x0) returned 0x40000 [0066.468] GetKeyboardType (nTypeFlag=0) returned 4 [0066.636] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe\" " [0066.636] GetStartupInfoA (in: lpStartupInfo=0xbdfa84 | out: lpStartupInfo=0xbdfa84*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0066.636] GetACP () returned 0x4e4 [0066.636] GetCurrentThreadId () returned 0xe28 [0066.636] GetModuleFileNameA (in: hModule=0x40000, lpFilename=0xbde974, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe")) returned 0x4c [0066.637] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xbde84f, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe")) returned 0x4c [0066.637] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xbde964 | out: phkResult=0xbde964*=0x0) returned 0x2 [0066.637] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xbde964 | out: phkResult=0xbde964*=0x0) returned 0x2 [0066.637] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xbde964 | out: phkResult=0xbde964*=0x0) returned 0x2 [0066.637] lstrcpynA (in: lpString1=0xbde84f, lpString2="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe", iMaxLength=261 | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe") returned="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" [0066.637] GetThreadLocale () returned 0x409 [0066.637] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0xbde95f, cchData=5 | out: lpLCData="ENU") returned 4 [0066.638] lstrlenA (lpString="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe") returned 76 [0066.638] lstrcpynA (in: lpString1=0xbde898, lpString2="ENU", iMaxLength=188 | out: lpString1="ENU") returned="ENU" [0066.639] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0066.639] lstrcpynA (in: lpString1=0xbde898, lpString2="EN", iMaxLength=188 | out: lpString1="EN") returned="EN" [0066.639] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffdf, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffde, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffdc, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffdd, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffd0, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffd8, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffef, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffec, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffd3, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffd2, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffe5, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.639] LoadStringA (in: hInstance=0x40000, uID=0xffe6, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xffe7, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xffe4, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xffe2, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xffe0, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xffff, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfffe, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfffd, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfffc, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfffb, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfffa, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfff9, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfff8, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfff7, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfff6, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfff5, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfff4, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] LoadStringA (in: hInstance=0x40000, uID=0xfff3, lpBuffer=0xbdeaa4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.640] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x2c20000 [0066.641] LoadStringA (in: hInstance=0x40000, uID=0xfff1, lpBuffer=0xbdea90, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.641] LoadStringA (in: hInstance=0x40000, uID=0xffe1, lpBuffer=0xbdea90, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0066.641] GetVersionExA (in: lpVersionInformation=0xbdfa28*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xffffffff, dwMinorVersion=0xbdfa4c, dwBuildNumber=0x0, dwPlatformId=0xbdfa48, szCSDVersion="") | out: lpVersionInformation=0xbdfa28*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0066.641] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0066.641] GetProcAddress (hModule=0x74030000, lpProcName="GetDiskFreeSpaceExA") returned 0x7409ee90 [0066.641] GetThreadLocale () returned 0x409 [0066.642] GetSystemMetrics (nIndex=42) returned 0 [0068.776] GetThreadLocale () returned 0x409 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Jan") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0xbdf900, cchData=256 | out: lpLCData="January") returned 8 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Feb") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0xbdf900, cchData=256 | out: lpLCData="February") returned 9 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Mar") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0xbdf900, cchData=256 | out: lpLCData="March") returned 6 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Apr") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0xbdf900, cchData=256 | out: lpLCData="April") returned 6 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0xbdf900, cchData=256 | out: lpLCData="May") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0xbdf900, cchData=256 | out: lpLCData="May") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Jun") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0xbdf900, cchData=256 | out: lpLCData="June") returned 5 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Jul") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0xbdf900, cchData=256 | out: lpLCData="July") returned 5 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Aug") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0xbdf900, cchData=256 | out: lpLCData="August") returned 7 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Sep") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0xbdf900, cchData=256 | out: lpLCData="September") returned 10 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Oct") returned 4 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0xbdf900, cchData=256 | out: lpLCData="October") returned 8 [0068.776] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Nov") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0xbdf900, cchData=256 | out: lpLCData="November") returned 9 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Dec") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0xbdf900, cchData=256 | out: lpLCData="December") returned 9 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Sun") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Sunday") returned 7 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Mon") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Monday") returned 7 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Tue") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Tuesday") returned 8 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Wed") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Wednesday") returned 10 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Thu") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Thursday") returned 9 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Fri") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Friday") returned 7 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Sat") returned 4 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0xbdf900, cchData=256 | out: lpLCData="Saturday") returned 9 [0068.777] GetThreadLocale () returned 0x409 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="$") returned 2 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="0") returned 2 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="0") returned 2 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0xbdfa54, cchData=2 | out: lpLCData=",") returned 2 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0xbdfa54, cchData=2 | out: lpLCData=".") returned 2 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="2") returned 2 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0xbdfa54, cchData=2 | out: lpLCData="/") returned 2 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0068.777] GetThreadLocale () returned 0x409 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0xbdf928, cchData=256 | out: lpLCData="1") returned 2 [0068.777] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="dddd, MMMM d, yyyy") returned 19 [0068.777] GetThreadLocale () returned 0x409 [0068.778] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0xbdf928, cchData=256 | out: lpLCData="1") returned 2 [0068.778] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0xbdfa54, cchData=2 | out: lpLCData=":") returned 2 [0068.778] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="AM") returned 3 [0068.778] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="PM") returned 3 [0068.778] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="0") returned 2 [0068.778] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="0") returned 2 [0068.778] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0xbdf95c, cchData=256 | out: lpLCData="0") returned 2 [0068.778] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0xbdfa54, cchData=2 | out: lpLCData=",") returned 2 [0068.778] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x73e80000 [0068.778] GetProcAddress (hModule=0x73e80000, lpProcName="VariantChangeTypeEx") returned 0x73e9a610 [0068.778] GetProcAddress (hModule=0x73e80000, lpProcName="VarNeg") returned 0x73ee52c0 [0068.778] GetProcAddress (hModule=0x73e80000, lpProcName="VarNot") returned 0x73ee6560 [0068.778] GetProcAddress (hModule=0x73e80000, lpProcName="VarAdd") returned 0x73ebd610 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarSub") returned 0x73ebe3e0 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarMul") returned 0x73ebdb10 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarDiv") returned 0x73ee5800 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarIdiv") returned 0x73ee61a0 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarMod") returned 0x73ee6400 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarAnd") returned 0x73eb3200 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarOr") returned 0x73ee6610 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarXor") returned 0x73ee67b0 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarCmp") returned 0x73ea60b0 [0068.779] GetProcAddress (hModule=0x73e80000, lpProcName="VarI4FromStr") returned 0x73ea6ec0 [0068.780] GetProcAddress (hModule=0x73e80000, lpProcName="VarR4FromStr") returned 0x73eb3010 [0068.780] GetProcAddress (hModule=0x73e80000, lpProcName="VarR8FromStr") returned 0x73eb3630 [0068.780] GetProcAddress (hModule=0x73e80000, lpProcName="VarDateFromStr") returned 0x73ea8b90 [0068.780] GetProcAddress (hModule=0x73e80000, lpProcName="VarCyFromStr") returned 0x73e92d90 [0068.780] GetProcAddress (hModule=0x73e80000, lpProcName="VarBoolFromStr") returned 0x73ea48f0 [0068.780] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromCy") returned 0x73ea7f50 [0068.780] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromDate") returned 0x73ea89c0 [0068.780] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromBool") returned 0x73ea48a0 [0068.780] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="") returned 0x1f0 [0068.780] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x1f4 [0068.781] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1f8 [0068.781] QueryPerformanceCounter (in: lpPerformanceCount=0xbdfab0 | out: lpPerformanceCount=0xbdfab0*=22627274780) returned 1 [0068.782] GetTickCount () returned 0x1161c3a [0068.782] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe\" " [0068.786] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe\" " [0068.789] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe\" " [0068.789] GetUserDefaultLangID () returned 0x409 [0068.789] GetLocaleInfoA (in: Locale=0x800, LCType=0x5, lpLCData=0xbdfa0c, cchData=19 | out: lpLCData="1") returned 2 [0068.789] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xbdf8b8, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe")) returned 0x4c [0068.789] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2cdcce8, cbMultiByte=17, lpWideCharStr=0xbde9bc, cchWideChar=2047 | out: lpWideCharStr="5D4CAC51.zeppelin") returned 17 [0068.789] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d59780, cbMultiByte=4, lpWideCharStr=0xbde770, cchWideChar=2047 | out: lpWideCharStr="TEMP\x15") returned 4 [0068.789] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0xbdf796, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 0x22 [0068.790] SysReAllocStringLen (in: pbstr=0xbdf9e0*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", len=0x22 | out: pbstr=0xbdf9e0*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 1 [0068.790] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\5d4cac51.zeppelin"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0068.791] WriteFile (in: hFile=0x1fc, lpBuffer=0x2d51b38*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0xbdf9e4, lpOverlapped=0x0 | out: lpBuffer=0x2d51b38*, lpNumberOfBytesWritten=0xbdf9e4*=0x1, lpOverlapped=0x0) returned 1 [0068.792] CloseHandle (hObject=0x1fc) returned 1 [0068.794] Sleep (dwMilliseconds=0x29a) [0069.518] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0xbdf79c | out: lpFindFileData=0xbdf79c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c204e01, ftCreationTime.dwHighDateTime=0x1d5cfcc, ftLastAccessTime.dwLowDateTime=0x9c204e01, ftLastAccessTime.dwHighDateTime=0x1d5cfcc, ftLastWriteTime.dwLowDateTime=0x9c204e01, ftLastWriteTime.dwHighDateTime=0x1d5cfcc, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x10, cFileName="5D4CAC51.zeppelin", cAlternateFileName="5D4CAC~1.ZEP")) returned 0x1099728 [0069.519] FileTimeToLocalFileTime (in: lpFileTime=0xbdf7b0, lpLocalFileTime=0xbdf748 | out: lpLocalFileTime=0xbdf748) returned 1 [0069.519] FileTimeToDosDateTime (in: lpFileTime=0xbdf748, lpFatDate=0xbdf77e, lpFatTime=0xbdf77c | out: lpFatDate=0xbdf77e, lpFatTime=0xbdf77c) returned 1 [0069.519] FindClose (in: hFindFile=0x1099728 | out: hFindFile=0x1099728) returned 1 [0069.519] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\5d4cac51.zeppelin")) returned 1 [0069.521] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xbdf8bc, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe")) returned 0x4c [0069.521] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2cdcce8, cbMultiByte=17, lpWideCharStr=0xbde9c0, cchWideChar=2047 | out: lpWideCharStr="5D4CAC51.zeppelin") returned 17 [0069.521] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d59750, cbMultiByte=4, lpWideCharStr=0xbde774, cchWideChar=2047 | out: lpWideCharStr="TEMPɠĈ￾￿½變½鿐着찝횥￾￿½૗眽") returned 4 [0069.521] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0xbdf79a, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 0x22 [0069.521] SysReAllocStringLen (in: pbstr=0xbdf9e4*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", len=0x22 | out: pbstr=0xbdf9e4*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 1 [0069.521] SysReAllocStringLen (in: pbstr=0x2d3c0a8*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", len=0x34 | out: pbstr=0x2d3c0a8*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin") returned 1 [0069.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x44694, lpParameter=0x2d51b30, dwCreationFlags=0x4, lpThreadId=0x2d3c070 | out: lpThreadId=0x2d3c070*=0xf50) returned 0x1fc [0069.525] ResumeThread (hThread=0x1fc) returned 0x1 [0069.525] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe\" " [0069.525] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xbdf9ac | out: phkResult=0xbdf9ac*=0x0) returned 0x2 [0069.538] LoadStringA (in: hInstance=0x40000, uID=0xffed, lpBuffer=0xbdd7dc, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0069.538] VirtualQuery (in: lpAddress=0x43031, lpBuffer=0xbde94c, dwLength=0x1c | out: lpBuffer=0xbde94c*(BaseAddress=0x43000, AllocationBase=0x40000, AllocationProtect=0x80, RegionSize=0x2e000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0069.538] GetModuleFileNameA (in: hModule=0x40000, lpFilename=0xbde847, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe")) returned 0x4c [0069.538] LoadStringA (in: hInstance=0x40000, uID=0xffc2, lpBuffer=0xbdd7d4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0069.538] RtlUnwind (TargetFrame=0xbdf9c4, TargetIp=0x43fa8, ExceptionRecord=0xbdee4c, ReturnValue=0x0) [0069.538] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0xbdf9b0, lpdwDisposition=0xbdf9b4 | out: phkResult=0xbdf9b0*=0x200, lpdwDisposition=0xbdf9b4*=0x1) returned 0x0 [0069.538] RegSetValueExA (in: hKey=0x200, lpValueName="Process", Reserved=0x0, dwType=0x1, lpData="kj+YIgJeHMy2VdSyAvS0jfK78U0k16DecfbfvU/jo5aBwiaM+YM3gVM=", cbData=0x39 | out: lpData="kj+YIgJeHMy2VdSyAvS0jfK78U0k16DecfbfvU/jo5aBwiaM+YM3gVM=") returned 0x0 [0069.539] RegCloseKey (hKey=0x200) returned 0x0 [0069.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d597b0, cbMultiByte=7, lpWideCharStr=0xbde740, cchWideChar=2047 | out: lpWideCharStr="APPDATA") returned 7 [0069.539] GetEnvironmentVariableW (in: lpName="APPDATA", lpBuffer=0xbdf766, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x1f [0069.539] SysReAllocStringLen (in: pbstr=0xbdf9dc*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Roaming", len=0x1f | out: pbstr=0xbdf9dc*="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 1 [0069.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d4a6e8, cbMultiByte=18, lpWideCharStr=0xbde964, cchWideChar=2047 | out: lpWideCharStr="Microsoft\\Windows\\½½½") returned 18 [0069.539] SysReAllocStringLen (in: pbstr=0xbdf9e8*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\", len=0x32 | out: pbstr=0xbdf9e8*="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\") returned 1 [0069.539] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows")) returned 0x10 [0069.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d59780, cbMultiByte=9, lpWideCharStr=0xbde968, cchWideChar=2047 | out: lpWideCharStr="csrss.exeindows\\½½½") returned 9 [0069.540] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0 [0069.540] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xbdf758, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe")) returned 0x4c [0069.540] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe"), bFailIfExists=0) returned 1 [0070.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d51b88, cbMultiByte=1, lpWideCharStr=0xbde968, cchWideChar=2047 | out: lpWideCharStr="\"½") returned 1 [0070.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d59738, cbMultiByte=8, lpWideCharStr=0xbde960, cchWideChar=2047 | out: lpWideCharStr="\" -start") returned 8 [0070.803] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2cd59b8, cbMultiByte=55, lpWideCharStr=0xbde964, cchWideChar=2047 | out: lpWideCharStr="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\csrss.exe") returned 55 [0070.803] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0xbdf934, lpdwDisposition=0xbdf938 | out: phkResult=0xbdf934*=0x200, lpdwDisposition=0xbdf938*=0x2) returned 0x0 [0070.803] RegSetValueExW (in: hKey=0x200, lpValueName="csrss.exe", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start", cbData=0x8a | out: lpData="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start") returned 0x0 [0070.804] RegCloseKey (hKey=0x200) returned 0x0 [0070.804] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d59768, cbMultiByte=6, lpWideCharStr=0xbde928, cchWideChar=2047 | out: lpWideCharStr="-start炴Ĉ½n") returned 6 [0070.804] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d597e0, cbMultiByte=4, lpWideCharStr=0xbde920, cchWideChar=2047 | out: lpWideCharStr="open-start炴Ĉ½n") returned 4 [0070.804] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpParameters="-start", lpDirectory=0x0, nShowCmd=1) returned 0x2a [0083.603] GetCurrentProcess () returned 0xffffffff [0083.603] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xbdf97c | out: TokenHandle=0xbdf97c*=0x2b0) returned 1 [0083.603] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xbdf970 | out: lpLuid=0xbdf970*(LowPart=0x14, HighPart=0)) returned 1 [0083.605] AdjustTokenPrivileges (in: TokenHandle=0x2b0, DisableAllPrivileges=0, NewState=0xbdf95c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0xbdf96c | out: PreviousState=0x0, ReturnLength=0xbdf96c) returned 1 [0083.605] CloseHandle (hObject=0x2b0) returned 1 [0083.605] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2d597e0, cbMultiByte=11, lpWideCharStr=0xbde974, cchWideChar=2047 | out: lpWideCharStr="notepad.exe") returned 11 [0083.605] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="notepad.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000044, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xbdf9ac*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xbdf99c | out: lpCommandLine="notepad.exe", lpProcessInformation=0xbdf99c*(hProcess=0x36c, hThread=0x2b0, dwProcessId=0x378, dwThreadId=0xfa8)) returned 1 [0084.399] CloseHandle (hObject=0x2b0) returned 1 [0084.399] OpenProcessToken (in: ProcessHandle=0x378, DesiredAccess=0x28, TokenHandle=0xbdf97c | out: TokenHandle=0xbdf97c*=0x0) returned 0 [0084.399] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xbdf970 | out: lpLuid=0xbdf970*(LowPart=0x14, HighPart=0)) returned 1 [0084.400] AdjustTokenPrivileges (in: TokenHandle=0x0, DisableAllPrivileges=0, NewState=0xbdf95c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0xbdf96c | out: PreviousState=0x0, ReturnLength=0xbdf96c) returned 0 [0084.400] CloseHandle (hObject=0x0) returned 0 [0084.400] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x378) returned 0x2b0 [0084.400] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0084.401] GetProcAddress (hModule=0x74030000, lpProcName="DeleteFileW") returned 0x7409ed40 [0084.401] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0084.401] GetProcAddress (hModule=0x74030000, lpProcName="ExitProcess") returned 0x74043cb0 [0084.401] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0084.401] GetProcAddress (hModule=0x74030000, lpProcName="Sleep") returned 0x74046760 [0084.401] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xbdf724, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\cusersgrujaappdataroamingmicrosoftwindowsspoolsv.exe")) returned 0x4c [0084.402] VirtualAllocEx (hProcess=0x2b0, lpAddress=0x0, dwSize=0x99, flAllocationType=0x3000, flProtect=0x40) returned 0x27f0000 [0084.402] WriteProcessMemory (in: hProcess=0x2b0, lpBaseAddress=0x27f0000, lpBuffer=0x10c640c*, nSize=0x99, lpNumberOfBytesWritten=0xbdf978 | out: lpBuffer=0x10c640c*, lpNumberOfBytesWritten=0xbdf978*=0x99) returned 1 [0084.404] VirtualAllocEx (hProcess=0x2b0, lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x40) returned 0x2a00000 [0084.505] WriteProcessMemory (in: hProcess=0x2b0, lpBaseAddress=0x2a00000, lpBuffer=0xbdf964*, nSize=0x10, lpNumberOfBytesWritten=0xbdf978 | out: lpBuffer=0xbdf964*, lpNumberOfBytesWritten=0xbdf978*=0x10) returned 1 [0084.506] VirtualAllocEx (hProcess=0x2b0, lpAddress=0x0, dwSize=0x1f4, flAllocationType=0x3000, flProtect=0x40) returned 0x2a10000 [0084.506] WriteProcessMemory (in: hProcess=0x2b0, lpBaseAddress=0x2a10000, lpBuffer=0x6c2ec*, nSize=0x1f4, lpNumberOfBytesWritten=0xbdf978 | out: lpBuffer=0x6c2ec*, lpNumberOfBytesWritten=0xbdf978*=0x1f4) returned 1 [0084.518] CreateRemoteThread (in: hProcess=0x2b0, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2a10000, lpParameter=0x2a00000, dwCreationFlags=0x0, lpThreadId=0xbdf974 | out: lpThreadId=0xbdf974*=0x474) returned 0x358 [0084.519] CloseHandle (hObject=0x2b0) returned 1 [0084.519] Sleep (dwMilliseconds=0x3e8) [0085.525] ExitProcess (uExitCode=0xdeadface) Thread: id = 2 os_tid = 0xc6c Thread: id = 3 os_tid = 0x84 Thread: id = 4 os_tid = 0xf50 [0069.533] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x77390000, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x2e5faa8, nFileSizeHigh=0xc36000, nFileSizeLow=0xc2a000, dwReserved0=0x0, dwReserved1=0x2e5fa34, cFileName="", cAlternateFileName="")) returned 0xffffffff [0069.533] GetLastError () returned 0x2 [0069.534] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x0) returned 0x2 [0069.534] Sleep (dwMilliseconds=0xa) [0070.765] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x6a, ftCreationTime.dwLowDateTime=0x19, ftCreationTime.dwHighDateTime=0xe3, ftLastAccessTime.dwLowDateTime=0x30, ftLastAccessTime.dwHighDateTime=0xa607d0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x108aab0, nFileSizeHigh=0x1096ad0, nFileSizeLow=0xb0, dwReserved0=0xa60000, dwReserved1=0xa601d0, cFileName="\n", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0070.766] GetLastError () returned 0x2 [0070.766] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x210) returned 0x0 [0070.766] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0070.766] RegCloseKey (hKey=0x210) returned 0x0 [0070.767] Sleep (dwMilliseconds=0xa) [0070.977] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0070.977] GetLastError () returned 0x2 [0070.977] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x238) returned 0x0 [0070.978] RegQueryValueExA (in: hKey=0x238, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0070.978] RegCloseKey (hKey=0x238) returned 0x0 [0070.978] Sleep (dwMilliseconds=0xa) [0073.635] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0073.638] GetLastError () returned 0x2 [0073.638] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x23c) returned 0x0 [0073.638] RegQueryValueExA (in: hKey=0x23c, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0073.638] RegCloseKey (hKey=0x23c) returned 0x0 [0073.638] Sleep (dwMilliseconds=0xa) [0074.593] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0074.594] GetLastError () returned 0x2 [0074.594] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x24c) returned 0x0 [0074.594] RegQueryValueExA (in: hKey=0x24c, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0074.594] RegCloseKey (hKey=0x24c) returned 0x0 [0074.594] Sleep (dwMilliseconds=0xa) [0074.689] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0074.690] GetLastError () returned 0x2 [0074.690] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x244) returned 0x0 [0074.690] RegQueryValueExA (in: hKey=0x244, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0074.690] RegCloseKey (hKey=0x244) returned 0x0 [0074.690] Sleep (dwMilliseconds=0xa) [0074.734] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.400] GetLastError () returned 0x2 [0075.400] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x288) returned 0x0 [0075.400] RegQueryValueExA (in: hKey=0x288, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.400] RegCloseKey (hKey=0x288) returned 0x0 [0075.400] Sleep (dwMilliseconds=0xa) [0075.525] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.525] GetLastError () returned 0x2 [0075.525] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2e8) returned 0x0 [0075.525] RegQueryValueExA (in: hKey=0x2e8, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.525] RegCloseKey (hKey=0x2e8) returned 0x0 [0075.525] Sleep (dwMilliseconds=0xa) [0075.617] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.618] GetLastError () returned 0x2 [0075.618] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x324) returned 0x0 [0075.618] RegQueryValueExA (in: hKey=0x324, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.618] RegCloseKey (hKey=0x324) returned 0x0 [0075.618] Sleep (dwMilliseconds=0xa) [0075.643] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.643] GetLastError () returned 0x2 [0075.643] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x318) returned 0x0 [0075.643] RegQueryValueExA (in: hKey=0x318, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.643] RegCloseKey (hKey=0x318) returned 0x0 [0075.643] Sleep (dwMilliseconds=0xa) [0075.682] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.682] GetLastError () returned 0x2 [0075.682] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x318) returned 0x0 [0075.682] RegQueryValueExA (in: hKey=0x318, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.683] RegCloseKey (hKey=0x318) returned 0x0 [0075.683] Sleep (dwMilliseconds=0xa) [0075.730] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.731] GetLastError () returned 0x2 [0075.731] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x318) returned 0x0 [0075.731] RegQueryValueExA (in: hKey=0x318, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.731] RegCloseKey (hKey=0x318) returned 0x0 [0075.731] Sleep (dwMilliseconds=0xa) [0075.749] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.749] GetLastError () returned 0x2 [0075.749] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x318) returned 0x0 [0075.750] RegQueryValueExA (in: hKey=0x318, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.750] RegCloseKey (hKey=0x318) returned 0x0 [0075.750] Sleep (dwMilliseconds=0xa) [0075.872] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.873] GetLastError () returned 0x2 [0075.873] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x370) returned 0x0 [0075.873] RegQueryValueExA (in: hKey=0x370, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.873] RegCloseKey (hKey=0x370) returned 0x0 [0075.873] Sleep (dwMilliseconds=0xa) [0075.908] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.909] GetLastError () returned 0x2 [0075.909] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x380) returned 0x0 [0075.909] RegQueryValueExA (in: hKey=0x380, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0075.909] RegCloseKey (hKey=0x380) returned 0x0 [0075.909] Sleep (dwMilliseconds=0xa) [0075.966] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0075.967] GetLastError () returned 0x2 [0076.307] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x380) returned 0x0 [0076.307] RegQueryValueExA (in: hKey=0x380, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.307] RegCloseKey (hKey=0x380) returned 0x0 [0076.307] Sleep (dwMilliseconds=0xa) [0076.347] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.348] GetLastError () returned 0x2 [0076.348] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x388) returned 0x0 [0076.348] RegQueryValueExA (in: hKey=0x388, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.348] RegCloseKey (hKey=0x388) returned 0x0 [0076.348] Sleep (dwMilliseconds=0xa) [0076.375] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.375] GetLastError () returned 0x2 [0076.375] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x398) returned 0x0 [0076.375] RegQueryValueExA (in: hKey=0x398, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.376] RegCloseKey (hKey=0x398) returned 0x0 [0076.376] Sleep (dwMilliseconds=0xa) [0076.409] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.410] GetLastError () returned 0x2 [0076.410] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3d8) returned 0x0 [0076.410] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.410] RegCloseKey (hKey=0x3d8) returned 0x0 [0076.410] Sleep (dwMilliseconds=0xa) [0076.437] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.437] GetLastError () returned 0x2 [0076.437] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3dc) returned 0x0 [0076.437] RegQueryValueExA (in: hKey=0x3dc, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.437] RegCloseKey (hKey=0x3dc) returned 0x0 [0076.437] Sleep (dwMilliseconds=0xa) [0076.504] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.504] GetLastError () returned 0x2 [0076.505] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3dc) returned 0x0 [0076.505] RegQueryValueExA (in: hKey=0x3dc, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.505] RegCloseKey (hKey=0x3dc) returned 0x0 [0076.505] Sleep (dwMilliseconds=0xa) [0076.536] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.536] GetLastError () returned 0x2 [0076.537] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e0) returned 0x0 [0076.537] RegQueryValueExA (in: hKey=0x3e0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.537] RegCloseKey (hKey=0x3e0) returned 0x0 [0076.537] Sleep (dwMilliseconds=0xa) [0076.557] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.558] GetLastError () returned 0x2 [0076.558] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e0) returned 0x0 [0076.558] RegQueryValueExA (in: hKey=0x3e0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.558] RegCloseKey (hKey=0x3e0) returned 0x0 [0076.558] Sleep (dwMilliseconds=0xa) [0076.574] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.574] GetLastError () returned 0x2 [0076.574] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e0) returned 0x0 [0076.574] RegQueryValueExA (in: hKey=0x3e0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.574] RegCloseKey (hKey=0x3e0) returned 0x0 [0076.574] Sleep (dwMilliseconds=0xa) [0076.630] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.630] GetLastError () returned 0x2 [0076.630] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e0) returned 0x0 [0076.701] RegQueryValueExA (in: hKey=0x3e0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.707] RegCloseKey (hKey=0x3e0) returned 0x0 [0076.707] Sleep (dwMilliseconds=0xa) [0076.787] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.787] GetLastError () returned 0x2 [0076.787] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3d8) returned 0x0 [0076.788] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.788] RegCloseKey (hKey=0x3d8) returned 0x0 [0076.788] Sleep (dwMilliseconds=0xa) [0076.814] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0076.815] GetLastError () returned 0x2 [0076.815] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3d8) returned 0x0 [0076.815] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0076.815] RegCloseKey (hKey=0x3d8) returned 0x0 [0076.815] Sleep (dwMilliseconds=0xa) [0080.125] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.126] GetLastError () returned 0x2 [0080.126] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3d8) returned 0x0 [0080.126] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.127] RegCloseKey (hKey=0x3d8) returned 0x0 [0080.127] Sleep (dwMilliseconds=0xa) [0080.180] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.180] GetLastError () returned 0x2 [0080.180] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3d8) returned 0x0 [0080.180] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.180] RegCloseKey (hKey=0x3d8) returned 0x0 [0080.180] Sleep (dwMilliseconds=0xa) [0080.199] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.199] GetLastError () returned 0x2 [0080.200] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3d8) returned 0x0 [0080.200] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.200] RegCloseKey (hKey=0x3d8) returned 0x0 [0080.200] Sleep (dwMilliseconds=0xa) [0080.266] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.266] GetLastError () returned 0x2 [0080.266] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e4) returned 0x0 [0080.266] RegQueryValueExA (in: hKey=0x3e4, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.266] RegCloseKey (hKey=0x3e4) returned 0x0 [0080.266] Sleep (dwMilliseconds=0xa) [0080.292] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.292] GetLastError () returned 0x2 [0080.292] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e4) returned 0x0 [0080.292] RegQueryValueExA (in: hKey=0x3e4, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.292] RegCloseKey (hKey=0x3e4) returned 0x0 [0080.293] Sleep (dwMilliseconds=0xa) [0080.309] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.309] GetLastError () returned 0x2 [0080.309] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e4) returned 0x0 [0080.310] RegQueryValueExA (in: hKey=0x3e4, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.310] RegCloseKey (hKey=0x3e4) returned 0x0 [0080.310] Sleep (dwMilliseconds=0xa) [0080.354] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.354] GetLastError () returned 0x2 [0080.355] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e4) returned 0x0 [0080.355] RegQueryValueExA (in: hKey=0x3e4, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.355] RegCloseKey (hKey=0x3e4) returned 0x0 [0080.355] Sleep (dwMilliseconds=0xa) [0080.369] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.370] GetLastError () returned 0x2 [0080.370] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e4) returned 0x0 [0080.370] RegQueryValueExA (in: hKey=0x3e4, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.370] RegCloseKey (hKey=0x3e4) returned 0x0 [0080.370] Sleep (dwMilliseconds=0xa) [0080.397] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0080.397] GetLastError () returned 0x2 [0080.398] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e4) returned 0x0 [0080.398] RegQueryValueExA (in: hKey=0x3e4, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0080.398] RegCloseKey (hKey=0x3e4) returned 0x0 [0080.398] Sleep (dwMilliseconds=0xa) [0081.500] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0081.500] GetLastError () returned 0x2 [0081.500] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e4) returned 0x0 [0081.500] RegQueryValueExA (in: hKey=0x3e4, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0081.500] RegCloseKey (hKey=0x3e4) returned 0x0 [0081.500] Sleep (dwMilliseconds=0xa) [0082.421] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0082.421] GetLastError () returned 0x2 [0082.422] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x3e4) returned 0x0 [0082.422] RegQueryValueExA (in: hKey=0x3e4, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0082.422] RegCloseKey (hKey=0x3e4) returned 0x0 [0082.422] Sleep (dwMilliseconds=0xa) [0082.532] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0082.532] GetLastError () returned 0x2 [0082.533] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x434) returned 0x0 [0082.537] RegQueryValueExA (in: hKey=0x434, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0082.538] RegCloseKey (hKey=0x434) returned 0x0 [0082.539] Sleep (dwMilliseconds=0xa) [0083.260] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0083.260] GetLastError () returned 0x2 [0083.260] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x438) returned 0x0 [0083.261] RegQueryValueExA (in: hKey=0x438, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0083.261] RegCloseKey (hKey=0x438) returned 0x0 [0083.261] Sleep (dwMilliseconds=0xa) [0083.368] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0083.368] GetLastError () returned 0x2 [0083.368] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x454) returned 0x0 [0083.368] RegQueryValueExA (in: hKey=0x454, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0083.368] RegCloseKey (hKey=0x454) returned 0x0 [0083.368] Sleep (dwMilliseconds=0xa) [0083.462] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0083.463] GetLastError () returned 0x2 [0083.463] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x470) returned 0x0 [0083.463] RegQueryValueExA (in: hKey=0x470, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0083.463] RegCloseKey (hKey=0x470) returned 0x0 [0083.463] Sleep (dwMilliseconds=0xa) [0083.590] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0083.591] GetLastError () returned 0x2 [0083.591] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0083.591] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0083.591] RegCloseKey (hKey=0x2b0) returned 0x0 [0083.591] Sleep (dwMilliseconds=0xa) [0083.654] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0083.655] GetLastError () returned 0x2 [0083.655] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0083.655] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0083.655] RegCloseKey (hKey=0x2b0) returned 0x0 [0083.655] Sleep (dwMilliseconds=0xa) [0084.395] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.396] GetLastError () returned 0x2 [0084.396] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x458) returned 0x0 [0084.396] RegQueryValueExA (in: hKey=0x458, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.396] RegCloseKey (hKey=0x458) returned 0x0 [0084.396] Sleep (dwMilliseconds=0xa) [0084.519] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.519] GetLastError () returned 0x2 [0084.519] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.520] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.520] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.520] Sleep (dwMilliseconds=0xa) [0084.599] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.600] GetLastError () returned 0x2 [0084.600] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.600] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.600] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.600] Sleep (dwMilliseconds=0xa) [0084.692] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.693] GetLastError () returned 0x2 [0084.693] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.693] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.693] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.693] Sleep (dwMilliseconds=0xa) [0084.732] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.732] GetLastError () returned 0x2 [0084.732] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.732] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.732] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.732] Sleep (dwMilliseconds=0xa) [0084.837] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.837] GetLastError () returned 0x2 [0084.837] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.837] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.837] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.837] Sleep (dwMilliseconds=0xa) [0084.864] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.864] GetLastError () returned 0x2 [0084.864] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.864] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.864] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.864] Sleep (dwMilliseconds=0xa) [0084.890] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.890] GetLastError () returned 0x2 [0084.891] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.891] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.891] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.891] Sleep (dwMilliseconds=0xa) [0084.906] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.907] GetLastError () returned 0x2 [0084.907] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.907] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.907] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.907] Sleep (dwMilliseconds=0xa) [0084.962] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.963] GetLastError () returned 0x2 [0084.963] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.963] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.963] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.963] Sleep (dwMilliseconds=0xa) [0084.992] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0084.992] GetLastError () returned 0x2 [0084.992] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0084.992] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0084.992] RegCloseKey (hKey=0x2b0) returned 0x0 [0084.992] Sleep (dwMilliseconds=0xa) [0085.020] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.021] GetLastError () returned 0x2 [0085.021] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.021] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.021] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.021] Sleep (dwMilliseconds=0xa) [0085.049] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.049] GetLastError () returned 0x2 [0085.049] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.049] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.049] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.049] Sleep (dwMilliseconds=0xa) [0085.135] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.135] GetLastError () returned 0x2 [0085.135] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.135] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.135] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.136] Sleep (dwMilliseconds=0xa) [0085.160] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.160] GetLastError () returned 0x2 [0085.160] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.160] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.160] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.161] Sleep (dwMilliseconds=0xa) [0085.242] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.242] GetLastError () returned 0x2 [0085.242] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.242] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.242] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.242] Sleep (dwMilliseconds=0xa) [0085.274] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.274] GetLastError () returned 0x2 [0085.274] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.274] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.274] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.275] Sleep (dwMilliseconds=0xa) [0085.342] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.342] GetLastError () returned 0x2 [0085.342] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.343] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.343] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.343] Sleep (dwMilliseconds=0xa) [0085.368] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.369] GetLastError () returned 0x2 [0085.369] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.369] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.369] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.369] Sleep (dwMilliseconds=0xa) [0085.401] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.401] GetLastError () returned 0x2 [0085.402] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.402] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.402] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.402] Sleep (dwMilliseconds=0xa) [0085.436] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.436] GetLastError () returned 0x2 [0085.436] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.437] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.437] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.437] Sleep (dwMilliseconds=0xa) [0085.488] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.489] GetLastError () returned 0x2 [0085.489] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.490] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.490] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.490] Sleep (dwMilliseconds=0xa) [0085.507] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\5D4CAC51.zeppelin", lpFindFileData=0x2e5fa44 | out: lpFindFileData=0x2e5fa44*(dwFileAttributes=0x2e5fa90, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2e5fba0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2d597c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x2e5fa50, dwReserved0=0xbf0608, dwReserved1=0x2e50000, cFileName="", cAlternateFileName="ﲤ˥◐眨샘券￾￿ﲘ˥㔟眧\n")) returned 0xffffffff [0085.508] GetLastError () returned 0x2 [0085.508] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x2e5fc1c | out: phkResult=0x2e5fc1c*=0x2b0) returned 0x0 [0085.508] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x2e5fc20, lpData=0x0, lpcbData=0x2e5fc18*=0x2e5fc90 | out: lpType=0x2e5fc20*=0x0, lpData=0x0, lpcbData=0x2e5fc18*=0x0) returned 0x2 [0085.508] RegCloseKey (hKey=0x2b0) returned 0x0 [0085.508] Sleep (dwMilliseconds=0xa) Thread: id = 5 os_tid = 0xf14 Thread: id = 6 os_tid = 0xde4 Thread: id = 7 os_tid = 0xfd0 Thread: id = 8 os_tid = 0x4b4 Thread: id = 9 os_tid = 0x4ac Thread: id = 10 os_tid = 0xf10 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x49390000" os_pid = "0x538" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x24c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:00011899" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 11 os_tid = 0x908 Thread: id = 12 os_tid = 0x900 Thread: id = 13 os_tid = 0x8f8 Thread: id = 14 os_tid = 0x8f0 Thread: id = 15 os_tid = 0x570 Thread: id = 16 os_tid = 0x5a8 Thread: id = 17 os_tid = 0x614 Thread: id = 18 os_tid = 0x610 Thread: id = 19 os_tid = 0x604 Thread: id = 20 os_tid = 0x598 Thread: id = 21 os_tid = 0x594 Thread: id = 22 os_tid = 0x590 Thread: id = 23 os_tid = 0x53c Process: id = "3" image_name = "csrss.exe" filename = "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe" page_root = "0x1938d000" os_pid = "0xda8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaac" cmd_line = "\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 24 os_tid = 0xeb4 [0084.536] GetModuleHandleA (lpModuleName=0x0) returned 0x12b0000 [0084.537] GetKeyboardType (nTypeFlag=0) returned 4 [0084.702] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" [0084.702] GetStartupInfoA (in: lpStartupInfo=0xcff7ec | out: lpStartupInfo=0xcff7ec*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0084.703] GetACP () returned 0x4e4 [0084.703] GetCurrentThreadId () returned 0xeb4 [0084.703] GetModuleFileNameA (in: hModule=0x12b0000, lpFilename=0xcfe6dc, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0084.703] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xcfe5b7, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0084.703] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xcfe6cc | out: phkResult=0xcfe6cc*=0x0) returned 0x2 [0084.703] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xcfe6cc | out: phkResult=0xcfe6cc*=0x0) returned 0x2 [0084.703] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xcfe6cc | out: phkResult=0xcfe6cc*=0x0) returned 0x2 [0084.703] lstrcpynA (in: lpString1=0xcfe5b7, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", iMaxLength=261 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" [0084.703] GetThreadLocale () returned 0x409 [0084.703] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0xcfe6c7, cchData=5 | out: lpLCData="ENU") returned 4 [0084.704] lstrlenA (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe") returned 59 [0084.704] lstrcpynA (in: lpString1=0xcfe5ef, lpString2="ENU", iMaxLength=205 | out: lpString1="ENU") returned="ENU" [0084.704] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0084.705] lstrcpynA (in: lpString1=0xcfe5ef, lpString2="EN", iMaxLength=205 | out: lpString1="EN") returned="EN" [0084.705] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffdf, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffde, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffdc, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffdd, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffd0, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffd8, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffef, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffec, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffd3, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffd2, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffe5, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffe6, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffe7, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffe4, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffe2, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffe0, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xffff, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.705] LoadStringA (in: hInstance=0x12b0000, uID=0xfffe, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfffd, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfffc, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfffb, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfffa, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfff9, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfff8, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfff7, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfff6, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfff5, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfff4, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] LoadStringA (in: hInstance=0x12b0000, uID=0xfff3, lpBuffer=0xcfe80c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.706] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x2d10000 [0084.707] LoadStringA (in: hInstance=0x12b0000, uID=0xfff1, lpBuffer=0xcfe7f8, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.707] LoadStringA (in: hInstance=0x12b0000, uID=0xffe1, lpBuffer=0xcfe7f8, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0084.707] GetVersionExA (in: lpVersionInformation=0xcff790*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xffffffff, dwMinorVersion=0xcff7b4, dwBuildNumber=0x0, dwPlatformId=0xcff7b0, szCSDVersion="") | out: lpVersionInformation=0xcff790*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0084.707] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0084.707] GetProcAddress (hModule=0x74030000, lpProcName="GetDiskFreeSpaceExA") returned 0x7409ee90 [0084.707] GetThreadLocale () returned 0x409 [0084.707] GetSystemMetrics (nIndex=42) returned 0 [0084.739] GetThreadLocale () returned 0x409 [0084.739] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0xcff668, cchData=256 | out: lpLCData="Jan") returned 4 [0084.739] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0xcff668, cchData=256 | out: lpLCData="January") returned 8 [0084.739] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0xcff668, cchData=256 | out: lpLCData="Feb") returned 4 [0084.739] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0xcff668, cchData=256 | out: lpLCData="February") returned 9 [0084.739] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0xcff668, cchData=256 | out: lpLCData="Mar") returned 4 [0084.739] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0xcff668, cchData=256 | out: lpLCData="March") returned 6 [0084.739] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0xcff668, cchData=256 | out: lpLCData="Apr") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0xcff668, cchData=256 | out: lpLCData="April") returned 6 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0xcff668, cchData=256 | out: lpLCData="May") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0xcff668, cchData=256 | out: lpLCData="May") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0xcff668, cchData=256 | out: lpLCData="Jun") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0xcff668, cchData=256 | out: lpLCData="June") returned 5 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0xcff668, cchData=256 | out: lpLCData="Jul") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0xcff668, cchData=256 | out: lpLCData="July") returned 5 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0xcff668, cchData=256 | out: lpLCData="Aug") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0xcff668, cchData=256 | out: lpLCData="August") returned 7 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0xcff668, cchData=256 | out: lpLCData="Sep") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0xcff668, cchData=256 | out: lpLCData="September") returned 10 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0xcff668, cchData=256 | out: lpLCData="Oct") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0xcff668, cchData=256 | out: lpLCData="October") returned 8 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0xcff668, cchData=256 | out: lpLCData="Nov") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0xcff668, cchData=256 | out: lpLCData="November") returned 9 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0xcff668, cchData=256 | out: lpLCData="Dec") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0xcff668, cchData=256 | out: lpLCData="December") returned 9 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0xcff668, cchData=256 | out: lpLCData="Sun") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0xcff668, cchData=256 | out: lpLCData="Sunday") returned 7 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0xcff668, cchData=256 | out: lpLCData="Mon") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0xcff668, cchData=256 | out: lpLCData="Monday") returned 7 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0xcff668, cchData=256 | out: lpLCData="Tue") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0xcff668, cchData=256 | out: lpLCData="Tuesday") returned 8 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0xcff668, cchData=256 | out: lpLCData="Wed") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0xcff668, cchData=256 | out: lpLCData="Wednesday") returned 10 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0xcff668, cchData=256 | out: lpLCData="Thu") returned 4 [0084.740] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0xcff668, cchData=256 | out: lpLCData="Thursday") returned 9 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0xcff668, cchData=256 | out: lpLCData="Fri") returned 4 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0xcff668, cchData=256 | out: lpLCData="Friday") returned 7 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0xcff668, cchData=256 | out: lpLCData="Sat") returned 4 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0xcff668, cchData=256 | out: lpLCData="Saturday") returned 9 [0084.741] GetThreadLocale () returned 0x409 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="$") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="0") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="0") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0xcff7bc, cchData=2 | out: lpLCData=",") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0xcff7bc, cchData=2 | out: lpLCData=".") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="2") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0xcff7bc, cchData=2 | out: lpLCData="/") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0084.741] GetThreadLocale () returned 0x409 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0xcff690, cchData=256 | out: lpLCData="1") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="dddd, MMMM d, yyyy") returned 19 [0084.741] GetThreadLocale () returned 0x409 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0xcff690, cchData=256 | out: lpLCData="1") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0xcff7bc, cchData=2 | out: lpLCData=":") returned 2 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="AM") returned 3 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="PM") returned 3 [0084.741] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="0") returned 2 [0084.742] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="0") returned 2 [0084.742] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0xcff6c4, cchData=256 | out: lpLCData="0") returned 2 [0084.742] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0xcff7bc, cchData=2 | out: lpLCData=",") returned 2 [0084.742] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x73e80000 [0084.742] GetProcAddress (hModule=0x73e80000, lpProcName="VariantChangeTypeEx") returned 0x73e9a610 [0084.742] GetProcAddress (hModule=0x73e80000, lpProcName="VarNeg") returned 0x73ee52c0 [0084.742] GetProcAddress (hModule=0x73e80000, lpProcName="VarNot") returned 0x73ee6560 [0084.743] GetProcAddress (hModule=0x73e80000, lpProcName="VarAdd") returned 0x73ebd610 [0084.743] GetProcAddress (hModule=0x73e80000, lpProcName="VarSub") returned 0x73ebe3e0 [0084.743] GetProcAddress (hModule=0x73e80000, lpProcName="VarMul") returned 0x73ebdb10 [0084.743] GetProcAddress (hModule=0x73e80000, lpProcName="VarDiv") returned 0x73ee5800 [0084.743] GetProcAddress (hModule=0x73e80000, lpProcName="VarIdiv") returned 0x73ee61a0 [0084.743] GetProcAddress (hModule=0x73e80000, lpProcName="VarMod") returned 0x73ee6400 [0084.743] GetProcAddress (hModule=0x73e80000, lpProcName="VarAnd") returned 0x73eb3200 [0084.743] GetProcAddress (hModule=0x73e80000, lpProcName="VarOr") returned 0x73ee6610 [0084.744] GetProcAddress (hModule=0x73e80000, lpProcName="VarXor") returned 0x73ee67b0 [0084.744] GetProcAddress (hModule=0x73e80000, lpProcName="VarCmp") returned 0x73ea60b0 [0084.744] GetProcAddress (hModule=0x73e80000, lpProcName="VarI4FromStr") returned 0x73ea6ec0 [0084.744] GetProcAddress (hModule=0x73e80000, lpProcName="VarR4FromStr") returned 0x73eb3010 [0084.744] GetProcAddress (hModule=0x73e80000, lpProcName="VarR8FromStr") returned 0x73eb3630 [0084.744] GetProcAddress (hModule=0x73e80000, lpProcName="VarDateFromStr") returned 0x73ea8b90 [0084.744] GetProcAddress (hModule=0x73e80000, lpProcName="VarCyFromStr") returned 0x73e92d90 [0084.744] GetProcAddress (hModule=0x73e80000, lpProcName="VarBoolFromStr") returned 0x73ea48f0 [0084.745] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromCy") returned 0x73ea7f50 [0084.745] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromDate") returned 0x73ea89c0 [0084.745] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromBool") returned 0x73ea48a0 [0084.745] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="") returned 0x1f0 [0084.745] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x1f4 [0084.745] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1f8 [0084.746] QueryPerformanceCounter (in: lpPerformanceCount=0xcff818 | out: lpPerformanceCount=0xcff818*=24223757639) returned 1 [0084.747] GetTickCount () returned 0x1165a9b [0084.747] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" [0084.758] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" [0084.761] GetFileAttributesW (lpFileName="-start" (normalized: "c:\\users\\fd1hvy\\desktop\\-start")) returned 0xffffffff [0084.762] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" [0084.820] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" [0084.823] FindFirstFileW (in: lpFileName="-start", lpFindFileData=0xcff538 | out: lpFindFileData=0xcff538*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xefa2dffe, ftCreationTime.dwHighDateTime=0xcff864, ftLastAccessTime.dwLowDateTime=0x10025d8, ftLastAccessTime.dwHighDateTime=0x10025d8, ftLastWriteTime.dwLowDateTime=0x5, ftLastWriteTime.dwHighDateTime=0x9000, nFileSizeHigh=0x10132cc, nFileSizeLow=0x12bfa5e, dwReserved0=0x10025da, dwReserved1=0xcff858, cFileName="◐ĀÏ◎Ā", cAlternateFileName="\x01")) returned 0xffffffff [0084.823] GetLastError () returned 0x2 [0084.823] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" [0084.824] GetUserDefaultLangID () returned 0x409 [0084.824] GetLocaleInfoA (in: Locale=0x800, LCType=0x5, lpLCData=0xcff774, cchData=19 | out: lpLCData="1") returned 2 [0084.824] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xcff620, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0084.824] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2dccce8, cbMultiByte=17, lpWideCharStr=0xcfe724, cchWideChar=2047 | out: lpWideCharStr="1A2A6461.zeppelin") returned 17 [0084.824] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e49780, cbMultiByte=4, lpWideCharStr=0xcfe4d8, cchWideChar=2047 | out: lpWideCharStr="TEMP\x0f쀀\x01") returned 4 [0084.824] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0xcff4fe, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 0x22 [0084.824] SysReAllocStringLen (in: pbstr=0xcff748*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", len=0x22 | out: pbstr=0xcff748*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 1 [0084.824] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\1a2a6461.zeppelin"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0084.825] WriteFile (in: hFile=0x1fc, lpBuffer=0x2e41b38*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0xcff74c, lpOverlapped=0x0 | out: lpBuffer=0x2e41b38*, lpNumberOfBytesWritten=0xcff74c*=0x1, lpOverlapped=0x0) returned 1 [0084.838] CloseHandle (hObject=0x1fc) returned 1 [0084.839] Sleep (dwMilliseconds=0x29a) [0085.526] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0xcff504 | out: lpFindFileData=0xcff504*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5ad0e70, ftCreationTime.dwHighDateTime=0x1d5cfcc, ftLastAccessTime.dwLowDateTime=0xa5ad0e70, ftLastAccessTime.dwHighDateTime=0x1d5cfcc, ftLastWriteTime.dwLowDateTime=0xa5b03309, ftLastWriteTime.dwHighDateTime=0x1d5cfcc, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="1A2A6461.zeppelin", cAlternateFileName="1A2A64~1.ZEP")) returned 0x101c1f8 [0085.527] FileTimeToLocalFileTime (in: lpFileTime=0xcff518, lpLocalFileTime=0xcff4b0 | out: lpLocalFileTime=0xcff4b0) returned 1 [0085.527] FileTimeToDosDateTime (in: lpFileTime=0xcff4b0, lpFatDate=0xcff4e6, lpFatTime=0xcff4e4 | out: lpFatDate=0xcff4e6, lpFatTime=0xcff4e4) returned 1 [0085.527] FindClose (in: hFindFile=0x101c1f8 | out: hFindFile=0x101c1f8) returned 1 [0085.527] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\1a2a6461.zeppelin")) returned 1 [0085.528] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xcff624, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0085.528] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2dccce8, cbMultiByte=17, lpWideCharStr=0xcfe728, cchWideChar=2047 | out: lpWideCharStr="1A2A6461.zeppelin") returned 17 [0085.528] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e49750, cbMultiByte=4, lpWideCharStr=0xcfe4dc, cchWideChar=2047 | out: lpWideCharStr="TEMP\x01") returned 4 [0085.528] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0xcff502, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 0x22 [0085.528] SysReAllocStringLen (in: pbstr=0xcff74c*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", len=0x22 | out: pbstr=0xcff74c*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 1 [0085.529] SysReAllocStringLen (in: pbstr=0x2e2c0a8*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", len=0x34 | out: pbstr=0x2e2c0a8*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin") returned 1 [0085.529] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x12b4694, lpParameter=0x2e41b30, dwCreationFlags=0x4, lpThreadId=0x2e2c070 | out: lpThreadId=0x2e2c070*=0x1008) returned 0x1fc [0085.529] ResumeThread (hThread=0x1fc) returned 0x1 [0085.529] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" [0085.529] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start" [0085.530] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exe", cchCount1=11, lpString2="agntsvc.exeagntsvc.exe", cchCount2=22) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exe", cchCount1=11, lpString2="agntsvc.exeencsvc.exe", cchCount2=21) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeagntsvc.exe", cchCount1=22, lpString2="agntsvc.exeencsvc.exe", cchCount2=21) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeagntsvc.exe", cchCount1=22, lpString2="agntsvc.exeisqlplussvc.exe", cchCount2=26) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeencsvc.exe", cchCount1=21, lpString2="agntsvc.exeisqlplussvc.exe", cchCount2=26) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeagntsvc.exe", cchCount1=22, lpString2="anvir.exe", cchCount2=9) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeencsvc.exe", cchCount1=21, lpString2="anvir.exe", cchCount2=9) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeisqlplussvc.exe", cchCount1=26, lpString2="anvir.exe", cchCount2=9) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeencsvc.exe", cchCount1=21, lpString2="anvir64.exe", cchCount2=11) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeisqlplussvc.exe", cchCount1=26, lpString2="anvir64.exe", cchCount2=11) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir.exe", cchCount1=9, lpString2="anvir64.exe", cchCount2=11) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeencsvc.exe", cchCount1=21, lpString2="apache.exe", cchCount2=10) returned 1 [0085.531] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir.exe", cchCount1=9, lpString2="apache.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="apache.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeisqlplussvc.exe", cchCount1=26, lpString2="backup.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="backup.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="backup.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeisqlplussvc.exe", cchCount1=26, lpString2="ccleaner.exe", cchCount2=12) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="ccleaner.exe", cchCount2=12) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="ccleaner.exe", cchCount2=12) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="ccleaner.exe", cchCount2=12) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir.exe", cchCount1=9, lpString2="ccleaner64.exe", cchCount2=14) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="ccleaner64.exe", cchCount2=14) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="ccleaner64.exe", cchCount2=14) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="ccleaner64.exe", cchCount2=14) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir.exe", cchCount1=9, lpString2="dbeng50.exe", cchCount2=11) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="dbeng50.exe", cchCount2=11) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="dbeng50.exe", cchCount2=11) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="dbeng50.exe", cchCount2=11) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="dbsnmp.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="dbsnmp.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="dbsnmp.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="dbsnmp.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="encsvc.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="encsvc.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="encsvc.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="encsvc.exe", cchCount2=10) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="far.exe", cchCount2=7) returned 1 [0085.532] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="far.exe", cchCount2=7) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="far.exe", cchCount2=7) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="far.exe", cchCount2=7) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="firefoxconfig.exe", cchCount2=17) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="firefoxconfig.exe", cchCount2=17) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="firefoxconfig.exe", cchCount2=17) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="firefoxconfig.exe", cchCount2=17) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="infopath.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="infopath.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="infopath.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="infopath.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="kingdee.exe", cchCount2=11) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="kingdee.exe", cchCount2=11) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="kingdee.exe", cchCount2=11) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="kingdee.exe", cchCount2=11) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="kingdee.exe", cchCount2=11) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="msaccess.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="msaccess.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="msaccess.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="msaccess.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="msaccess.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="msftesql.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="msftesql.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="msftesql.exe", cchCount2=12) returned 1 [0085.533] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="msftesql.exe", cchCount2=12) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="msftesql.exe", cchCount2=12) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="mspub.exe", cchCount2=9) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="mspub.exe", cchCount2=9) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="mspub.exe", cchCount2=9) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="mspub.exe", cchCount2=9) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="mspub.exe", cchCount2=9) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="mysqld.exe", cchCount2=10) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="mysqld.exe", cchCount2=10) returned 1 [0085.534] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="mysqld.exe", cchCount2=10) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="mysqld.exe", cchCount2=10) returned 3 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="mysqld.exe", cchCount2=10) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-opt.exe", cchCount1=14, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-opt.exe", cchCount1=14, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="ocomm.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="ocomm.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="ocomm.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="ocomm.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="ocomm.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="ocssd.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="ocssd.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-opt.exe", cchCount1=14, lpString2="ocssd.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="ocssd.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocomm.exe", cchCount1=9, lpString2="ocssd.exe", cchCount2=9) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocomm.exe", cchCount1=9, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.535] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="oracle.exe", cchCount2=10) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="oracle.exe", cchCount2=10) returned 2 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="procexp.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="procexp.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="procexp.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="procexp.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="procexp.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="regedit.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="regedit.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="regedit.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="regedit.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="regedit.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="regedit.exe", cchCount2=11) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0085.536] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0085.537] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocomm.exe", cchCount1=9, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0085.590] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0085.590] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0085.590] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0085.590] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="sql.exe", cchCount2=7) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-opt.exe", cchCount1=14, lpString2="sql.exe", cchCount2=7) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="sql.exe", cchCount2=7) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="sql.exe", cchCount2=7) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="sql.exe", cchCount2=7) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="sql.exe", cchCount2=7) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocomm.exe", cchCount1=9, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0085.591] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlservr.exe", cchCount1=12, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="synctime.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="synctime.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="synctime.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="synctime.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlservr.exe", cchCount1=12, lpString2="synctime.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlwriter.exe", cchCount1=13, lpString2="synctime.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="taskkill.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="taskkill.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="taskkill.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlservr.exe", cchCount1=12, lpString2="taskkill.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlwriter.exe", cchCount1=13, lpString2="taskkill.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="synctime.exe", cchCount1=12, lpString2="taskkill.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="tasklist.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="tasklist.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="tasklist.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlwriter.exe", cchCount1=13, lpString2="tasklist.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="synctime.exe", cchCount1=12, lpString2="tasklist.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="tasklist.exe", cchCount2=12) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="synctime.exe", cchCount1=12, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tasklist.exe", cchCount1=12, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0085.592] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlservr.exe", cchCount1=12, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tasklist.exe", cchCount1=12, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskmgr.exe", cchCount1=11, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="tomcat.exe", cchCount2=10) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="tomcat.exe", cchCount2=10) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlwriter.exe", cchCount1=13, lpString2="tomcat.exe", cchCount2=10) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tasklist.exe", cchCount1=12, lpString2="tomcat.exe", cchCount2=10) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskmgr.exe", cchCount1=11, lpString2="tomcat.exe", cchCount2=10) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tbirdconfig.exe", cchCount1=15, lpString2="tomcat.exe", cchCount2=10) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="synctime.exe", cchCount1=12, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskmgr.exe", cchCount1=11, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tbirdconfig.exe", cchCount1=15, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat.exe", cchCount1=10, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="u8.exe", cchCount2=6) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="u8.exe", cchCount2=6) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="u8.exe", cchCount2=6) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tbirdconfig.exe", cchCount1=15, lpString2="u8.exe", cchCount2=6) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat.exe", cchCount1=10, lpString2="u8.exe", cchCount2=6) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat6.exe", cchCount1=11, lpString2="u8.exe", cchCount2=6) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="ufida.exe", cchCount2=9) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="ufida.exe", cchCount2=9) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="ufida.exe", cchCount2=9) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tbirdconfig.exe", cchCount1=15, lpString2="ufida.exe", cchCount2=9) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat6.exe", cchCount1=11, lpString2="ufida.exe", cchCount2=9) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="u8.exe", cchCount1=6, lpString2="ufida.exe", cchCount2=9) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="visio.exe", cchCount2=9) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="visio.exe", cchCount2=9) returned 1 [0085.593] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tasklist.exe", cchCount1=12, lpString2="visio.exe", cchCount2=9) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat.exe", cchCount1=10, lpString2="visio.exe", cchCount2=9) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="u8.exe", cchCount1=6, lpString2="visio.exe", cchCount2=9) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ufida.exe", cchCount1=9, lpString2="visio.exe", cchCount2=9) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskmgr.exe", cchCount1=11, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat6.exe", cchCount1=11, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ufida.exe", cchCount1=9, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0085.594] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="visio.exe", cchCount1=9, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0085.594] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x12b4694, lpParameter=0x2e41b60, dwCreationFlags=0x4, lpThreadId=0x2e2c0b8 | out: lpThreadId=0x2e2c0b8*=0x101c) returned 0x204 [0085.594] ResumeThread (hThread=0x204) returned 0x1 [0085.597] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin\\Keys", ulOptions=0x0, samDesired=0x20019, phkResult=0xcff688 | out: phkResult=0xcff688*=0x0) returned 0x2 [0085.597] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin\\Keys", ulOptions=0x0, samDesired=0x20019, phkResult=0xcff688 | out: phkResult=0xcff688*=0x0) returned 0x2 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 [0085.598] PeekMessageA (in: lpMsg=0xcff668, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcff668) returned 0 Thread: id = 25 os_tid = 0xf0 Thread: id = 26 os_tid = 0x1008 [0085.621] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x77390000, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x30ffc78, nFileSizeHigh=0xaab000, nFileSizeLow=0xaa2000, dwReserved0=0x0, dwReserved1=0x30ffc04, cFileName="", cAlternateFileName="")) returned 0xffffffff [0085.621] GetLastError () returned 0x2 [0085.621] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0085.621] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0085.621] RegCloseKey (hKey=0x208) returned 0x0 [0085.621] Sleep (dwMilliseconds=0xa) [0085.739] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49588, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0085.739] GetLastError () returned 0x2 [0085.739] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0085.740] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0085.740] RegCloseKey (hKey=0x20c) returned 0x0 [0085.740] Sleep (dwMilliseconds=0xa) [0085.871] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ba0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0085.872] GetLastError () returned 0x2 [0085.872] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0085.872] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0085.872] RegCloseKey (hKey=0x210) returned 0x0 [0085.872] Sleep (dwMilliseconds=0xa) [0086.008] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e495e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.009] GetLastError () returned 0x2 [0086.009] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0086.009] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.009] RegCloseKey (hKey=0x20c) returned 0x0 [0086.009] Sleep (dwMilliseconds=0xa) [0086.125] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e495e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.126] GetLastError () returned 0x2 [0086.126] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0086.126] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.126] RegCloseKey (hKey=0x210) returned 0x0 [0086.126] Sleep (dwMilliseconds=0xa) [0086.214] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.214] GetLastError () returned 0x2 [0086.215] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0086.215] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.215] RegCloseKey (hKey=0x20c) returned 0x0 [0086.215] Sleep (dwMilliseconds=0xa) [0086.291] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.292] GetLastError () returned 0x2 [0086.292] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0086.292] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.292] RegCloseKey (hKey=0x20c) returned 0x0 [0086.292] Sleep (dwMilliseconds=0xa) [0086.397] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bd0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.397] GetLastError () returned 0x2 [0086.398] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0086.398] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.398] RegCloseKey (hKey=0x208) returned 0x0 [0086.398] Sleep (dwMilliseconds=0xa) [0086.492] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e494c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.492] GetLastError () returned 0x2 [0086.492] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0086.492] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.492] RegCloseKey (hKey=0x210) returned 0x0 [0086.492] Sleep (dwMilliseconds=0xa) [0086.586] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49618, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.586] GetLastError () returned 0x2 [0086.586] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0086.587] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.587] RegCloseKey (hKey=0x20c) returned 0x0 [0086.587] Sleep (dwMilliseconds=0xa) [0086.685] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49618, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.685] GetLastError () returned 0x2 [0086.685] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0086.685] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.685] RegCloseKey (hKey=0x20c) returned 0x0 [0086.686] Sleep (dwMilliseconds=0xa) [0086.906] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49438, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0086.906] GetLastError () returned 0x2 [0086.907] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0086.907] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0086.907] RegCloseKey (hKey=0x210) returned 0x0 [0086.907] Sleep (dwMilliseconds=0xa) [0086.999] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e3aa08, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.000] GetLastError () returned 0x2 [0087.000] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0087.000] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.000] RegCloseKey (hKey=0x20c) returned 0x0 [0087.000] Sleep (dwMilliseconds=0xa) [0087.086] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bd0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.086] GetLastError () returned 0x2 [0087.086] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0087.086] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.086] RegCloseKey (hKey=0x20c) returned 0x0 [0087.086] Sleep (dwMilliseconds=0xa) [0087.163] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.164] GetLastError () returned 0x2 [0087.164] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0087.164] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.164] RegCloseKey (hKey=0x208) returned 0x0 [0087.164] Sleep (dwMilliseconds=0xa) [0087.233] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49498, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.233] GetLastError () returned 0x2 [0087.233] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0087.234] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.234] RegCloseKey (hKey=0x208) returned 0x0 [0087.234] Sleep (dwMilliseconds=0xa) [0087.320] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.321] GetLastError () returned 0x2 [0087.321] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0087.321] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.321] RegCloseKey (hKey=0x20c) returned 0x0 [0087.321] Sleep (dwMilliseconds=0xa) [0087.437] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e499c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.438] GetLastError () returned 0x2 [0087.438] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0087.438] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.438] RegCloseKey (hKey=0x20c) returned 0x0 [0087.438] Sleep (dwMilliseconds=0xa) [0087.571] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.572] GetLastError () returned 0x2 [0087.572] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0087.572] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.572] RegCloseKey (hKey=0x210) returned 0x0 [0087.572] Sleep (dwMilliseconds=0xa) [0087.664] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.665] GetLastError () returned 0x2 [0087.665] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0087.665] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.665] RegCloseKey (hKey=0x210) returned 0x0 [0087.665] Sleep (dwMilliseconds=0xa) [0087.767] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e499c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.768] GetLastError () returned 0x2 [0087.768] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0087.768] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.768] RegCloseKey (hKey=0x20c) returned 0x0 [0087.768] Sleep (dwMilliseconds=0xa) [0087.883] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e499c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.884] GetLastError () returned 0x2 [0087.884] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0087.884] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.884] RegCloseKey (hKey=0x20c) returned 0x0 [0087.884] Sleep (dwMilliseconds=0xa) [0087.949] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0087.950] GetLastError () returned 0x2 [0087.950] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0087.950] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0087.950] RegCloseKey (hKey=0x208) returned 0x0 [0087.950] Sleep (dwMilliseconds=0xa) [0088.141] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49588, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.141] GetLastError () returned 0x2 [0088.141] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0088.142] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.142] RegCloseKey (hKey=0x20c) returned 0x0 [0088.142] Sleep (dwMilliseconds=0xa) [0088.227] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.227] GetLastError () returned 0x2 [0088.227] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0088.227] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.227] RegCloseKey (hKey=0x20c) returned 0x0 [0088.227] Sleep (dwMilliseconds=0xa) [0088.334] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.334] GetLastError () returned 0x2 [0088.334] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0088.334] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.334] RegCloseKey (hKey=0x20c) returned 0x0 [0088.334] Sleep (dwMilliseconds=0xa) [0088.431] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e499c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.432] GetLastError () returned 0x2 [0088.432] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0088.432] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.432] RegCloseKey (hKey=0x210) returned 0x0 [0088.432] Sleep (dwMilliseconds=0xa) [0088.531] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e499c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.531] GetLastError () returned 0x2 [0088.531] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0088.531] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.531] RegCloseKey (hKey=0x210) returned 0x0 [0088.531] Sleep (dwMilliseconds=0xa) [0088.664] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.664] GetLastError () returned 0x2 [0088.664] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0088.664] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.664] RegCloseKey (hKey=0x20c) returned 0x0 [0088.664] Sleep (dwMilliseconds=0xa) [0088.742] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e499c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.742] GetLastError () returned 0x2 [0088.742] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0088.742] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.742] RegCloseKey (hKey=0x208) returned 0x0 [0088.742] Sleep (dwMilliseconds=0xa) [0088.813] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e494c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.814] GetLastError () returned 0x2 [0088.814] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0088.814] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.814] RegCloseKey (hKey=0x208) returned 0x0 [0088.814] Sleep (dwMilliseconds=0xa) [0088.966] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0088.967] GetLastError () returned 0x2 [0088.967] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0088.968] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0088.968] RegCloseKey (hKey=0x20c) returned 0x0 [0088.968] Sleep (dwMilliseconds=0xa) [0089.074] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.074] GetLastError () returned 0x2 [0089.075] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.075] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.075] RegCloseKey (hKey=0x20c) returned 0x0 [0089.075] Sleep (dwMilliseconds=0xa) [0089.195] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.195] GetLastError () returned 0x2 [0089.195] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.195] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.195] RegCloseKey (hKey=0x20c) returned 0x0 [0089.195] Sleep (dwMilliseconds=0xa) [0089.273] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49378, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.273] GetLastError () returned 0x2 [0089.273] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.273] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.273] RegCloseKey (hKey=0x20c) returned 0x0 [0089.273] Sleep (dwMilliseconds=0xa) [0089.358] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.358] GetLastError () returned 0x2 [0089.358] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.359] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.359] RegCloseKey (hKey=0x20c) returned 0x0 [0089.359] Sleep (dwMilliseconds=0xa) [0089.503] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.503] GetLastError () returned 0x2 [0089.503] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.503] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.503] RegCloseKey (hKey=0x20c) returned 0x0 [0089.503] Sleep (dwMilliseconds=0xa) [0089.554] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e495e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.554] GetLastError () returned 0x2 [0089.554] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0089.554] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.554] RegCloseKey (hKey=0x208) returned 0x0 [0089.554] Sleep (dwMilliseconds=0xa) [0089.640] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49468, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.640] GetLastError () returned 0x2 [0089.640] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.640] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.640] RegCloseKey (hKey=0x20c) returned 0x0 [0089.640] Sleep (dwMilliseconds=0xa) [0089.726] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.727] GetLastError () returned 0x2 [0089.727] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.727] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.727] RegCloseKey (hKey=0x20c) returned 0x0 [0089.727] Sleep (dwMilliseconds=0xa) [0089.827] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.827] GetLastError () returned 0x2 [0089.827] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.827] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.827] RegCloseKey (hKey=0x20c) returned 0x0 [0089.827] Sleep (dwMilliseconds=0xa) [0089.944] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49378, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0089.945] GetLastError () returned 0x2 [0089.945] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0089.945] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0089.945] RegCloseKey (hKey=0x20c) returned 0x0 [0089.945] Sleep (dwMilliseconds=0xa) [0090.041] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.041] GetLastError () returned 0x2 [0090.041] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0090.041] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.041] RegCloseKey (hKey=0x210) returned 0x0 [0090.041] Sleep (dwMilliseconds=0xa) [0090.139] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.140] GetLastError () returned 0x2 [0090.140] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0090.140] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.140] RegCloseKey (hKey=0x20c) returned 0x0 [0090.140] Sleep (dwMilliseconds=0xa) [0090.226] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.226] GetLastError () returned 0x2 [0090.226] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0090.226] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.226] RegCloseKey (hKey=0x20c) returned 0x0 [0090.226] Sleep (dwMilliseconds=0xa) [0090.309] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.309] GetLastError () returned 0x2 [0090.309] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0090.309] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.309] RegCloseKey (hKey=0x208) returned 0x0 [0090.310] Sleep (dwMilliseconds=0xa) [0090.459] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.459] GetLastError () returned 0x2 [0090.459] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0090.459] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.459] RegCloseKey (hKey=0x20c) returned 0x0 [0090.459] Sleep (dwMilliseconds=0xa) [0090.526] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.527] GetLastError () returned 0x2 [0090.527] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0090.527] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.527] RegCloseKey (hKey=0x20c) returned 0x0 [0090.527] Sleep (dwMilliseconds=0xa) [0090.615] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.615] GetLastError () returned 0x2 [0090.615] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0090.615] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.615] RegCloseKey (hKey=0x20c) returned 0x0 [0090.616] Sleep (dwMilliseconds=0xa) [0090.708] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.708] GetLastError () returned 0x2 [0090.709] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0090.709] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.709] RegCloseKey (hKey=0x20c) returned 0x0 [0090.709] Sleep (dwMilliseconds=0xa) [0090.802] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0090.802] GetLastError () returned 0x2 [0090.802] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0090.802] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0090.802] RegCloseKey (hKey=0x20c) returned 0x0 [0090.803] Sleep (dwMilliseconds=0xa) [0091.039] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0091.039] GetLastError () returned 0x2 [0091.039] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0091.039] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0091.040] RegCloseKey (hKey=0x210) returned 0x0 [0091.040] Sleep (dwMilliseconds=0xa) [0091.659] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0091.660] GetLastError () returned 0x2 [0091.660] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0091.660] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0091.660] RegCloseKey (hKey=0x20c) returned 0x0 [0091.660] Sleep (dwMilliseconds=0xa) [0091.827] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0091.827] GetLastError () returned 0x2 [0091.827] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0091.828] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0091.828] RegCloseKey (hKey=0x208) returned 0x0 [0091.828] Sleep (dwMilliseconds=0xa) [0091.956] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e494c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0091.957] GetLastError () returned 0x2 [0091.957] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0091.957] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0091.957] RegCloseKey (hKey=0x20c) returned 0x0 [0091.957] Sleep (dwMilliseconds=0xa) [0092.459] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0092.459] GetLastError () returned 0x2 [0092.459] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0092.459] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0092.459] RegCloseKey (hKey=0x210) returned 0x0 [0092.459] Sleep (dwMilliseconds=0xa) [0092.616] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0092.616] GetLastError () returned 0x2 [0092.616] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0092.617] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0092.617] RegCloseKey (hKey=0x20c) returned 0x0 [0092.617] Sleep (dwMilliseconds=0xa) [0092.783] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0092.783] GetLastError () returned 0x2 [0092.783] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0092.783] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0092.783] RegCloseKey (hKey=0x20c) returned 0x0 [0092.783] Sleep (dwMilliseconds=0xa) [0093.052] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ae0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0093.052] GetLastError () returned 0x2 [0093.053] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0093.053] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0093.053] RegCloseKey (hKey=0x20c) returned 0x0 [0093.053] Sleep (dwMilliseconds=0xa) [0093.422] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0093.423] GetLastError () returned 0x2 [0093.423] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0093.423] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0093.423] RegCloseKey (hKey=0x20c) returned 0x0 [0093.423] Sleep (dwMilliseconds=0xa) [0093.537] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0093.537] GetLastError () returned 0x2 [0093.537] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0093.537] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0093.537] RegCloseKey (hKey=0x20c) returned 0x0 [0093.537] Sleep (dwMilliseconds=0xa) [0093.642] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0093.642] GetLastError () returned 0x2 [0093.642] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0093.643] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0093.643] RegCloseKey (hKey=0x208) returned 0x0 [0093.643] Sleep (dwMilliseconds=0xa) [0093.745] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49468, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0093.745] GetLastError () returned 0x2 [0093.746] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0093.746] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0093.746] RegCloseKey (hKey=0x20c) returned 0x0 [0093.746] Sleep (dwMilliseconds=0xa) [0093.829] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0093.829] GetLastError () returned 0x2 [0093.829] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0093.830] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0093.830] RegCloseKey (hKey=0x20c) returned 0x0 [0093.830] Sleep (dwMilliseconds=0xa) [0094.031] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.031] GetLastError () returned 0x2 [0094.031] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0094.031] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.031] RegCloseKey (hKey=0x20c) returned 0x0 [0094.031] Sleep (dwMilliseconds=0xa) [0094.127] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.127] GetLastError () returned 0x2 [0094.127] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0094.127] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.127] RegCloseKey (hKey=0x20c) returned 0x0 [0094.127] Sleep (dwMilliseconds=0xa) [0094.240] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.240] GetLastError () returned 0x2 [0094.240] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0094.240] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.240] RegCloseKey (hKey=0x20c) returned 0x0 [0094.240] Sleep (dwMilliseconds=0xa) [0094.327] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.327] GetLastError () returned 0x2 [0094.327] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0094.327] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.327] RegCloseKey (hKey=0x20c) returned 0x0 [0094.327] Sleep (dwMilliseconds=0xa) [0094.402] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.402] GetLastError () returned 0x2 [0094.402] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0094.403] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.403] RegCloseKey (hKey=0x208) returned 0x0 [0094.403] Sleep (dwMilliseconds=0xa) [0094.439] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.439] GetLastError () returned 0x2 [0094.439] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0094.439] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.439] RegCloseKey (hKey=0x208) returned 0x0 [0094.439] Sleep (dwMilliseconds=0xa) [0094.532] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49378, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.532] GetLastError () returned 0x2 [0094.532] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0094.532] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.532] RegCloseKey (hKey=0x210) returned 0x0 [0094.532] Sleep (dwMilliseconds=0xa) [0094.624] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.624] GetLastError () returned 0x2 [0094.625] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0094.625] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.625] RegCloseKey (hKey=0x20c) returned 0x0 [0094.625] Sleep (dwMilliseconds=0xa) [0094.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49468, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.719] GetLastError () returned 0x2 [0094.719] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0094.719] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.719] RegCloseKey (hKey=0x20c) returned 0x0 [0094.719] Sleep (dwMilliseconds=0xa) [0094.814] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.814] GetLastError () returned 0x2 [0094.814] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0094.815] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.815] RegCloseKey (hKey=0x210) returned 0x0 [0094.815] Sleep (dwMilliseconds=0xa) [0094.938] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e494c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.939] GetLastError () returned 0x2 [0094.939] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0094.939] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.939] RegCloseKey (hKey=0x20c) returned 0x0 [0094.939] Sleep (dwMilliseconds=0xa) [0094.989] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0094.989] GetLastError () returned 0x2 [0094.989] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0094.989] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0094.989] RegCloseKey (hKey=0x208) returned 0x0 [0094.989] Sleep (dwMilliseconds=0xa) [0095.079] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0095.079] GetLastError () returned 0x2 [0095.080] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0095.080] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0095.080] RegCloseKey (hKey=0x20c) returned 0x0 [0095.080] Sleep (dwMilliseconds=0xa) [0095.172] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0095.172] GetLastError () returned 0x2 [0095.172] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0095.172] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0095.172] RegCloseKey (hKey=0x20c) returned 0x0 [0095.172] Sleep (dwMilliseconds=0xa) [0095.315] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49ae0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0095.316] GetLastError () returned 0x2 [0095.316] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0095.316] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0095.316] RegCloseKey (hKey=0x20c) returned 0x0 [0095.316] Sleep (dwMilliseconds=0xa) [0095.441] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49468, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0095.442] GetLastError () returned 0x2 [0095.442] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0095.443] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0095.443] RegCloseKey (hKey=0x20c) returned 0x0 [0095.443] Sleep (dwMilliseconds=0xa) [0095.533] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0095.533] GetLastError () returned 0x2 [0095.534] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0095.534] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0095.534] RegCloseKey (hKey=0x20c) returned 0x0 [0095.534] Sleep (dwMilliseconds=0xa) [0095.627] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0095.627] GetLastError () returned 0x2 [0095.627] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0095.628] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0095.628] RegCloseKey (hKey=0x20c) returned 0x0 [0095.628] Sleep (dwMilliseconds=0xa) [0095.788] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0095.789] GetLastError () returned 0x2 [0095.789] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0095.789] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0095.789] RegCloseKey (hKey=0x20c) returned 0x0 [0095.789] Sleep (dwMilliseconds=0xa) [0095.952] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0095.953] GetLastError () returned 0x2 [0095.953] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0095.953] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0095.953] RegCloseKey (hKey=0x20c) returned 0x0 [0095.953] Sleep (dwMilliseconds=0xa) [0096.045] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49588, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.045] GetLastError () returned 0x2 [0096.046] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0096.046] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.046] RegCloseKey (hKey=0x20c) returned 0x0 [0096.046] Sleep (dwMilliseconds=0xa) [0096.140] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.141] GetLastError () returned 0x2 [0096.141] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0096.141] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.141] RegCloseKey (hKey=0x20c) returned 0x0 [0096.141] Sleep (dwMilliseconds=0xa) [0096.234] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49588, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.235] GetLastError () returned 0x2 [0096.235] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0096.235] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.235] RegCloseKey (hKey=0x210) returned 0x0 [0096.235] Sleep (dwMilliseconds=0xa) [0096.342] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49588, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.343] GetLastError () returned 0x2 [0096.343] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0096.343] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.343] RegCloseKey (hKey=0x20c) returned 0x0 [0096.343] Sleep (dwMilliseconds=0xa) [0096.452] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.452] GetLastError () returned 0x2 [0096.452] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0096.453] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.453] RegCloseKey (hKey=0x20c) returned 0x0 [0096.453] Sleep (dwMilliseconds=0xa) [0096.540] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.540] GetLastError () returned 0x2 [0096.540] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0096.540] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.540] RegCloseKey (hKey=0x208) returned 0x0 [0096.540] Sleep (dwMilliseconds=0xa) [0096.608] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.608] GetLastError () returned 0x2 [0096.608] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0096.608] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.608] RegCloseKey (hKey=0x20c) returned 0x0 [0096.608] Sleep (dwMilliseconds=0xa) [0096.701] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.702] GetLastError () returned 0x2 [0096.702] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0096.702] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.702] RegCloseKey (hKey=0x20c) returned 0x0 [0096.702] Sleep (dwMilliseconds=0xa) [0096.800] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.800] GetLastError () returned 0x2 [0096.800] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0096.800] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.800] RegCloseKey (hKey=0x20c) returned 0x0 [0096.800] Sleep (dwMilliseconds=0xa) [0096.936] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0096.937] GetLastError () returned 0x2 [0096.937] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0096.937] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0096.937] RegCloseKey (hKey=0x20c) returned 0x0 [0096.937] Sleep (dwMilliseconds=0xa) [0097.030] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0097.031] GetLastError () returned 0x2 [0097.031] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0097.031] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0097.031] RegCloseKey (hKey=0x210) returned 0x0 [0097.031] Sleep (dwMilliseconds=0xa) [0097.124] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0097.124] GetLastError () returned 0x2 [0097.124] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x210) returned 0x0 [0097.124] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0097.124] RegCloseKey (hKey=0x210) returned 0x0 [0097.124] Sleep (dwMilliseconds=0xa) [0097.217] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0097.217] GetLastError () returned 0x2 [0097.218] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0097.218] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0097.218] RegCloseKey (hKey=0x20c) returned 0x0 [0097.218] Sleep (dwMilliseconds=0xa) [0097.312] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0097.312] GetLastError () returned 0x2 [0097.313] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0097.313] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0097.313] RegCloseKey (hKey=0x208) returned 0x0 [0097.313] Sleep (dwMilliseconds=0xa) [0097.367] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49378, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0097.367] GetLastError () returned 0x2 [0097.367] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x208) returned 0x0 [0097.368] RegQueryValueExA (in: hKey=0x208, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0097.368] RegCloseKey (hKey=0x208) returned 0x0 [0097.368] Sleep (dwMilliseconds=0xa) [0097.517] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0097.518] GetLastError () returned 0x2 [0097.518] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0097.518] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0097.518] RegCloseKey (hKey=0x20c) returned 0x0 [0097.518] Sleep (dwMilliseconds=0xa) [0097.611] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\1A2A6461.zeppelin", lpFindFileData=0x30ffc14 | out: lpFindFileData=0x30ffc14*(dwFileAttributes=0x30ffc60, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x30ffd70, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x2e49bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x30ffc20, dwReserved0=0x9b0608, dwReserved1=0x30f0000, cFileName="", cAlternateFileName="ﹴ̏◐眨䊨솔￾￿﹨̏㔟眧\n")) returned 0xffffffff [0097.611] GetLastError () returned 0x2 [0097.612] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x30ffdec | out: phkResult=0x30ffdec*=0x20c) returned 0x0 [0097.612] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0x30ffdf0, lpData=0x0, lpcbData=0x30ffde8*=0x30ffe60 | out: lpType=0x30ffdf0*=0x0, lpData=0x0, lpcbData=0x30ffde8*=0x0) returned 0x2 [0097.612] RegCloseKey (hKey=0x20c) returned 0x0 [0097.612] Sleep (dwMilliseconds=0xa) Thread: id = 27 os_tid = 0x101c [0085.633] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0085.633] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e49780, cbMultiByte=11, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="agntsvc.exe") returned 11 [0085.635] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exew\x04\x04Ý", lpUsedDefaultChar=0x0) returned 11 [0085.635] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0085.636] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exevc.exew\x04\x04Ý", lpUsedDefaultChar=0x0) returned 9 [0085.636] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.636] GetProcAddress (hModule=0x74030000, lpProcName="CreateToolhelp32Snapshot") returned 0x7407edc0 [0085.636] GetProcAddress (hModule=0x74030000, lpProcName="Heap32ListFirst") returned 0x7407f1a0 [0085.636] GetProcAddress (hModule=0x74030000, lpProcName="Heap32ListNext") returned 0x7407f250 [0085.636] GetProcAddress (hModule=0x74030000, lpProcName="Heap32First") returned 0x7407f2f0 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Heap32Next") returned 0x7407f510 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Toolhelp32ReadProcessMemory") returned 0x74048830 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Process32First") returned 0x7407f810 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Process32Next") returned 0x7407f9a0 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Process32FirstW") returned 0x7407f750 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Process32NextW") returned 0x7407f8f0 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Thread32First") returned 0x7407fa80 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Thread32Next") returned 0x7407fb30 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Module32First") returned 0x7407fc90 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Module32Next") returned 0x7407fe30 [0085.637] GetProcAddress (hModule=0x74030000, lpProcName="Module32FirstW") returned 0x7407fbd0 [0085.638] GetProcAddress (hModule=0x74030000, lpProcName="Module32NextW") returned 0x7407fd80 [0085.638] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0085.649] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.650] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.650] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.650] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0085.651] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exe", lpUsedDefaultChar=0x0) returned 11 [0085.651] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0085.652] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.652] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.652] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0085.652] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="툝Āsers\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 0 [0085.652] GetLastError () returned 0x1f [0085.652] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="툝Āsers\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 0 [0085.652] CloseHandle (hObject=0x20c) returned 1 [0085.662] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0085.662] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.663] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.663] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0085.663] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0085.663] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0085.663] CloseHandle (hObject=0x20c) returned 1 [0085.663] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.664] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.664] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.664] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0085.664] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0085.665] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.665] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.665] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0085.665] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0085.665] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0085.665] CloseHandle (hObject=0x20c) returned 1 [0085.665] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.666] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.666] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.666] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0085.666] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0085.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.667] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.667] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0085.667] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0085.667] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0085.667] CloseHandle (hObject=0x20c) returned 1 [0085.667] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0085.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0085.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0085.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0085.669] CloseHandle (hObject=0x20c) returned 1 [0085.669] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0085.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.669] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.669] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0085.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0085.670] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0085.670] CloseHandle (hObject=0x20c) returned 1 [0085.670] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.670] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.671] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0085.671] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.671] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.671] CloseHandle (hObject=0x20c) returned 1 [0085.671] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0085.672] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.672] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.672] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0085.672] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0085.672] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.673] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.673] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0085.673] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.673] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.673] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0085.673] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.674] CloseHandle (hObject=0x20c) returned 1 [0085.674] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0085.674] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.675] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.675] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0085.675] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.675] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.675] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.675] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0085.675] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.676] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.676] CloseHandle (hObject=0x20c) returned 1 [0085.676] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.741] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.741] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.741] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0085.741] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.742] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.742] CloseHandle (hObject=0x20c) returned 1 [0085.742] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.743] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.743] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.743] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0085.743] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.743] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.743] CloseHandle (hObject=0x20c) returned 1 [0085.743] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.744] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.744] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.744] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0085.744] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.744] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.745] CloseHandle (hObject=0x20c) returned 1 [0085.745] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.745] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.745] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.745] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0085.745] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.746] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.746] CloseHandle (hObject=0x20c) returned 1 [0085.746] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.747] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.747] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.747] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0085.747] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.747] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.747] CloseHandle (hObject=0x20c) returned 1 [0085.747] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.748] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.748] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.748] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0085.748] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.748] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.748] CloseHandle (hObject=0x20c) returned 1 [0085.749] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.749] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.749] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.749] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0085.749] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.750] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.750] CloseHandle (hObject=0x20c) returned 1 [0085.750] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.750] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.751] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.751] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0085.751] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.751] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.751] CloseHandle (hObject=0x20c) returned 1 [0085.751] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.752] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.752] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.752] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0085.752] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.752] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.752] CloseHandle (hObject=0x20c) returned 1 [0085.752] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.753] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.753] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.753] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0085.753] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.753] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.754] CloseHandle (hObject=0x20c) returned 1 [0085.754] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0085.754] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.754] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.755] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0085.755] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0085.755] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0085.755] CloseHandle (hObject=0x20c) returned 1 [0085.755] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0085.756] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.756] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.756] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0085.756] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0085.756] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0085.757] CloseHandle (hObject=0x20c) returned 1 [0085.757] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0085.757] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.757] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.757] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0085.758] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0085.758] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0085.758] CloseHandle (hObject=0x20c) returned 1 [0085.758] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.759] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.759] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.759] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0085.759] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.759] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.759] CloseHandle (hObject=0x20c) returned 1 [0085.759] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0085.760] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.760] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.760] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0085.760] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0085.760] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0085.760] CloseHandle (hObject=0x20c) returned 1 [0085.760] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0085.761] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0085.761] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0085.761] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0085.761] CloseHandle (hObject=0x20c) returned 1 [0085.762] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0085.762] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.762] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.762] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0085.762] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0085.763] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0085.763] CloseHandle (hObject=0x20c) returned 1 [0085.763] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0085.763] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.763] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.763] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0085.764] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0085.764] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0085.764] CloseHandle (hObject=0x20c) returned 1 [0085.764] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0085.765] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.765] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.765] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0085.765] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0085.765] GetLastError () returned 0x1f [0085.765] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0085.765] CloseHandle (hObject=0x20c) returned 1 [0085.776] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0085.777] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.777] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.777] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0085.777] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0085.777] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0085.777] CloseHandle (hObject=0x20c) returned 1 [0085.777] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0085.778] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.778] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.778] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0085.778] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0085.778] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0085.779] CloseHandle (hObject=0x20c) returned 1 [0085.779] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0085.779] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.779] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.779] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0085.779] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0085.780] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0085.780] CloseHandle (hObject=0x20c) returned 1 [0085.780] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0085.781] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.781] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.781] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0085.781] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0085.781] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.781] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.781] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0085.781] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.782] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.782] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.782] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0085.782] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.782] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0085.783] CloseHandle (hObject=0x20c) returned 1 [0085.783] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0085.783] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.783] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.783] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0085.783] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0085.784] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0085.784] CloseHandle (hObject=0x20c) returned 1 [0085.784] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0085.784] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.784] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.785] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0085.785] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0085.785] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.785] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.785] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0085.785] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0085.786] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0085.872] CloseHandle (hObject=0x20c) returned 1 [0085.872] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0085.873] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.873] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.873] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0085.873] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0085.873] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0085.874] CloseHandle (hObject=0x20c) returned 1 [0085.874] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0085.874] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.874] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.874] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0085.875] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0085.875] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0085.875] CloseHandle (hObject=0x20c) returned 1 [0085.875] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0085.876] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.876] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.876] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0085.876] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0085.876] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0085.876] CloseHandle (hObject=0x20c) returned 1 [0085.876] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0085.877] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.877] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.877] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0085.877] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0085.878] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0085.878] CloseHandle (hObject=0x20c) returned 1 [0085.878] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0085.879] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.879] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.879] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0085.879] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0085.880] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0085.880] CloseHandle (hObject=0x20c) returned 1 [0085.880] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0085.881] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.881] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.881] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0085.881] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0085.881] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0085.881] CloseHandle (hObject=0x20c) returned 1 [0085.881] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0085.882] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.882] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.882] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0085.882] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0085.883] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0085.883] CloseHandle (hObject=0x20c) returned 1 [0085.883] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0085.884] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.884] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.884] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0085.884] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0085.884] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0085.884] CloseHandle (hObject=0x20c) returned 1 [0085.884] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0085.885] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.885] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.885] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0085.885] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0085.885] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0085.886] CloseHandle (hObject=0x20c) returned 1 [0085.886] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0085.886] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.886] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.886] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0085.887] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0085.887] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0085.887] CloseHandle (hObject=0x20c) returned 1 [0085.887] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0085.888] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.888] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.888] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0085.888] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0085.888] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0085.888] CloseHandle (hObject=0x20c) returned 1 [0085.888] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0085.889] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.889] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.889] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0085.889] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0085.890] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0085.890] CloseHandle (hObject=0x20c) returned 1 [0085.890] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0085.890] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.891] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.891] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0085.891] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0085.891] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0085.891] CloseHandle (hObject=0x20c) returned 1 [0085.891] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0085.892] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.892] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.892] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0085.892] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0085.892] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0085.893] CloseHandle (hObject=0x20c) returned 1 [0085.893] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0085.893] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.893] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.893] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0085.893] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0085.894] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0085.894] CloseHandle (hObject=0x20c) returned 1 [0085.894] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0085.895] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.895] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.895] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0085.895] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0085.896] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0085.896] CloseHandle (hObject=0x20c) returned 1 [0085.896] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0085.897] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.897] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.897] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0085.897] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0085.897] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0085.897] CloseHandle (hObject=0x20c) returned 1 [0085.898] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0085.899] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.899] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.899] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0085.899] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0085.899] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0085.899] CloseHandle (hObject=0x20c) returned 1 [0085.899] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0085.900] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.900] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.900] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0085.900] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0085.901] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0085.901] CloseHandle (hObject=0x20c) returned 1 [0085.901] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0085.902] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.902] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.902] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0085.902] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0085.902] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0085.902] CloseHandle (hObject=0x20c) returned 1 [0085.902] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0085.903] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.903] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.903] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0085.903] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0085.904] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0085.904] CloseHandle (hObject=0x20c) returned 1 [0085.904] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0085.905] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.905] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.905] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0085.905] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0085.905] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0085.905] CloseHandle (hObject=0x20c) returned 1 [0085.906] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0085.907] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.907] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.907] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0085.907] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0085.907] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0085.907] CloseHandle (hObject=0x20c) returned 1 [0085.907] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0085.908] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.908] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.908] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0085.908] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0085.909] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0085.909] CloseHandle (hObject=0x20c) returned 1 [0085.909] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0085.910] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0085.910] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0085.910] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0085.910] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0085.910] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0085.910] CloseHandle (hObject=0x20c) returned 1 [0085.910] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0086.010] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.011] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.011] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0086.011] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0086.011] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0086.011] CloseHandle (hObject=0x20c) returned 1 [0086.011] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0086.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0086.012] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0086.013] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0086.013] CloseHandle (hObject=0x20c) returned 1 [0086.013] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0086.014] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.014] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.014] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0086.014] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0086.015] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0086.015] CloseHandle (hObject=0x20c) returned 1 [0086.015] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0086.016] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.016] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.016] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0086.016] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0086.016] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0086.016] CloseHandle (hObject=0x20c) returned 1 [0086.017] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0086.018] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.018] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.018] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0086.018] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0086.018] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0086.018] CloseHandle (hObject=0x20c) returned 1 [0086.018] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0086.019] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.019] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.019] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0086.019] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0086.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0086.020] CloseHandle (hObject=0x20c) returned 1 [0086.020] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0086.021] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.021] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.021] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0086.021] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0086.021] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0086.022] CloseHandle (hObject=0x20c) returned 1 [0086.022] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0086.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.023] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.023] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0086.023] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0086.023] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0086.023] CloseHandle (hObject=0x20c) returned 1 [0086.023] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0086.024] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.024] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.024] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0086.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0086.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0086.025] CloseHandle (hObject=0x20c) returned 1 [0086.025] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0086.026] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.026] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.026] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0086.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0086.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0086.026] CloseHandle (hObject=0x20c) returned 1 [0086.026] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0086.027] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.027] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.027] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0086.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0086.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0086.028] CloseHandle (hObject=0x20c) returned 1 [0086.028] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0086.029] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.029] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.029] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0086.030] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0086.030] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0086.030] CloseHandle (hObject=0x20c) returned 1 [0086.030] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0086.031] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.032] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.032] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0086.032] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0086.032] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0086.032] CloseHandle (hObject=0x20c) returned 1 [0086.032] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0086.034] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.034] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.034] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0086.034] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0086.034] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0086.034] CloseHandle (hObject=0x20c) returned 1 [0086.034] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0086.035] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.036] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.036] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0086.036] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0086.037] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0086.037] CloseHandle (hObject=0x20c) returned 1 [0086.038] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="skype.exe", cchWideChar=9, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="skype.exe.exepro.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 9 [0086.039] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exexe.exepro.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.039] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0086.040] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.041] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.041] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0086.041] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0086.041] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0086.041] CloseHandle (hObject=0x20c) returned 1 [0086.043] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smartftp.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smartftp.exeepro.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0086.044] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exep.exeepro.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.044] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0086.045] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.046] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.046] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0086.046] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0086.046] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0086.046] CloseHandle (hObject=0x20c) returned 1 [0086.048] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="thunderbird.exe", cchWideChar=15, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="thunderbird.exeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 15 [0086.050] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exebird.exeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.050] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0086.051] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.051] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.051] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0086.051] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0086.127] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0086.127] CloseHandle (hObject=0x20c) returned 1 [0086.129] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="totalcmd.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="totalcmd.exeexeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0086.131] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exed.exeexeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.131] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0086.132] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.132] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.132] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0086.132] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0086.133] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0086.133] CloseHandle (hObject=0x20c) returned 1 [0086.135] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trillian.exeexeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0086.136] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0086.137] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.137] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.137] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0086.138] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0086.138] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0086.138] CloseHandle (hObject=0x20c) returned 1 [0086.139] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0086.140] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.140] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.140] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0086.140] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0086.141] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0086.141] CloseHandle (hObject=0x20c) returned 1 [0086.141] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0086.142] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.142] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.142] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0086.142] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0086.143] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0086.143] CloseHandle (hObject=0x20c) returned 1 [0086.143] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0086.144] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.144] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.144] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0086.145] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0086.145] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0086.146] CloseHandle (hObject=0x20c) returned 1 [0086.146] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0086.147] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.147] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.147] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0086.147] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0086.147] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0086.148] CloseHandle (hObject=0x20c) returned 1 [0086.148] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0086.149] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.149] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.149] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0086.149] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0086.150] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0086.150] CloseHandle (hObject=0x20c) returned 1 [0086.150] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0086.151] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.151] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.151] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0086.151] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0086.152] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0086.152] CloseHandle (hObject=0x20c) returned 1 [0086.152] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0086.153] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.153] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.153] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0086.153] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0086.154] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0086.154] CloseHandle (hObject=0x20c) returned 1 [0086.154] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0086.155] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.155] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.155] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0086.155] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0086.156] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0086.156] CloseHandle (hObject=0x20c) returned 1 [0086.156] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0086.157] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.157] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.157] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0086.157] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0086.158] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0086.158] CloseHandle (hObject=0x20c) returned 1 [0086.158] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0086.159] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.159] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.159] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0086.159] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0086.160] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0086.160] CloseHandle (hObject=0x20c) returned 1 [0086.160] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0086.215] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0086.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0086.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0086.216] CloseHandle (hObject=0x20c) returned 1 [0086.217] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0086.218] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.218] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.218] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0086.218] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0086.218] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0086.218] CloseHandle (hObject=0x20c) returned 1 [0086.218] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0086.219] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.220] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.220] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0086.220] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0086.220] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0086.220] CloseHandle (hObject=0x20c) returned 1 [0086.220] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0086.221] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.221] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0086.222] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0086.222] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0086.222] CloseHandle (hObject=0x20c) returned 1 [0086.222] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0086.224] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.224] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0086.224] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0086.224] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0086.225] CloseHandle (hObject=0x20c) returned 1 [0086.226] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="omnipos.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="omnipos.exem.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.227] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exe.exem.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.227] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0086.228] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.229] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.229] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0086.229] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0086.229] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0086.229] CloseHandle (hObject=0x20c) returned 1 [0086.231] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spcwin.exe", cchWideChar=10, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spcwin.exeem.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0086.232] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeexeem.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.232] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0086.233] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.233] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.233] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0086.233] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0086.234] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0086.234] CloseHandle (hObject=0x20c) returned 1 [0086.236] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spgagentservice.exe", cchWideChar=19, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spgagentservice.exexexens.exe.exe", lpUsedDefaultChar=0x0) returned 19 [0086.238] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exetservice.exexexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.238] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0086.239] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.239] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.239] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0086.239] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0086.240] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0086.240] CloseHandle (hObject=0x20c) returned 1 [0086.241] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="utg2.exe", cchWideChar=8, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="utg2.exeservice.exexexens.exe.exe", lpUsedDefaultChar=0x0) returned 8 [0086.243] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeeservice.exexexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.243] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0086.243] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.243] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.243] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0086.244] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0086.244] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0086.244] CloseHandle (hObject=0x20c) returned 1 [0086.246] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0086.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.247] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.247] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0086.247] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0086.247] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0086.248] CloseHandle (hObject=0x20c) returned 1 [0086.248] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0086.249] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.249] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.249] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0086.249] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0086.250] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0086.250] CloseHandle (hObject=0x20c) returned 1 [0086.250] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0086.251] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.251] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.251] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0086.251] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0086.251] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0086.252] CloseHandle (hObject=0x20c) returned 1 [0086.252] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0086.253] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.253] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.253] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0086.253] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0086.253] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0086.254] CloseHandle (hObject=0x20c) returned 1 [0086.254] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0086.292] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.293] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.293] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0086.293] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0086.293] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0086.293] CloseHandle (hObject=0x20c) returned 1 [0086.293] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0086.294] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.294] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.294] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c4) returned 0x20c [0086.294] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", lpdwSize=0x353fc90) returned 1 [0086.295] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", lpdwSize=0x353fc90) returned 1 [0086.295] CloseHandle (hObject=0x20c) returned 1 [0086.295] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0086.295] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.296] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.296] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0086.296] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0086.296] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0086.296] CloseHandle (hObject=0x20c) returned 1 [0086.296] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0086.297] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.297] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.297] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0086.297] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0086.297] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0086.298] CloseHandle (hObject=0x20c) returned 1 [0086.298] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0086.298] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.299] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.299] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0086.299] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0086.299] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0086.299] CloseHandle (hObject=0x20c) returned 1 [0086.299] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0086.300] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.300] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.300] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0086.300] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0086.300] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0086.301] CloseHandle (hObject=0x20c) returned 1 [0086.301] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0086.301] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0086.302] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0086.302] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0086.302] CloseHandle (hObject=0x20c) returned 1 [0086.303] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoia.exesus.exeexers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 9 [0086.304] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exexesus.exeexers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0086.304] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0086.305] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.305] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.305] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0086.305] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0086.305] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0086.306] CloseHandle (hObject=0x20c) returned 1 [0086.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="AppHostRegistrationVerifier.exe", cchWideChar=31, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppHostRegistrationVerifier.exexe", lpUsedDefaultChar=0x0) returned 31 [0086.310] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeRegistrationVerifier.exexe", lpUsedDefaultChar=0x0) returned 11 [0086.310] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0086.311] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.311] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.311] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0086.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0086.312] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0086.312] CloseHandle (hObject=0x20c) returned 1 [0086.313] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="conhost.exestrationVerifier.exexe", lpUsedDefaultChar=0x0) returned 11 [0086.314] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exe.exestrationVerifier.exexe", lpUsedDefaultChar=0x0) returned 11 [0086.314] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0086.315] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.315] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.315] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0086.316] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0086.316] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0086.316] CloseHandle (hObject=0x20c) returned 1 [0086.318] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="conhost.exestrationVerifier.exexe", lpUsedDefaultChar=0x0) returned 11 [0086.319] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exe.exestrationVerifier.exexe", lpUsedDefaultChar=0x0) returned 11 [0086.319] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="CUsersGrujaAppDataRoamingMicrosoftWindowsspoolsv.exe")) returned 1 [0086.320] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.320] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.320] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaac) returned 0x20c [0086.321] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 0 [0086.321] GetLastError () returned 0x1f [0086.321] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 0 [0086.321] CloseHandle (hObject=0x20c) returned 1 [0086.322] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.323] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.323] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.323] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0086.323] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0086.324] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0086.324] CloseHandle (hObject=0x20c) returned 1 [0086.325] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0086.325] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.325] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.325] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0086.325] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0086.326] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0086.326] CloseHandle (hObject=0x20c) returned 1 [0086.326] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0086.326] CloseHandle (hObject=0x208) returned 1 [0086.327] Sleep (dwMilliseconds=0x1) [0086.398] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0086.398] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e24d98, cbMultiByte=22, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="agntsvc.exeagntsvc.exe") returned 22 [0086.400] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exe>w", lpUsedDefaultChar=0x0) returned 22 [0086.400] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0086.401] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exevc.exeagntsvc.exe>w", lpUsedDefaultChar=0x0) returned 9 [0086.401] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0086.414] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.414] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.415] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.415] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0086.417] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exe\x01\x01csrss.exevc.exeagntsvc.exe>w", lpUsedDefaultChar=0x0) returned 22 [0086.417] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0086.418] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.418] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.418] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0086.418] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0086.418] GetLastError () returned 0x1f [0086.418] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0086.418] CloseHandle (hObject=0x20c) returned 1 [0086.424] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0086.425] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.425] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.425] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0086.425] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0086.425] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101867c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0086.425] CloseHandle (hObject=0x20c) returned 1 [0086.426] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.426] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.426] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.427] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0086.427] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0086.427] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.428] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.428] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0086.428] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0086.428] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0086.428] CloseHandle (hObject=0x20c) returned 1 [0086.428] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.429] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.429] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.429] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0086.429] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0086.429] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.430] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.430] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0086.430] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0086.430] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0086.430] CloseHandle (hObject=0x20c) returned 1 [0086.430] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0086.431] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.431] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.431] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0086.431] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0086.431] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0086.431] CloseHandle (hObject=0x20c) returned 1 [0086.431] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0086.432] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.432] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.432] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0086.432] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0086.432] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0086.432] CloseHandle (hObject=0x20c) returned 1 [0086.433] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.433] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.433] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.433] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0086.433] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.434] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.434] CloseHandle (hObject=0x20c) returned 1 [0086.434] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0086.434] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.434] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.435] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0086.435] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0086.435] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.435] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.435] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0086.435] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.436] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.436] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.436] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0086.436] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.436] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.436] CloseHandle (hObject=0x20c) returned 1 [0086.437] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0086.437] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.437] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.437] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0086.437] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.438] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.438] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.438] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0086.438] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.438] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.438] CloseHandle (hObject=0x20c) returned 1 [0086.438] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.439] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.439] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0086.439] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.439] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.440] CloseHandle (hObject=0x20c) returned 1 [0086.440] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.440] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.440] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.440] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0086.440] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.441] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.441] CloseHandle (hObject=0x20c) returned 1 [0086.441] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.441] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.442] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.442] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0086.442] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.442] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.493] CloseHandle (hObject=0x20c) returned 1 [0086.493] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.494] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.494] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.494] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0086.494] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.494] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.494] CloseHandle (hObject=0x20c) returned 1 [0086.494] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.495] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.495] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.495] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0086.495] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.495] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.495] CloseHandle (hObject=0x20c) returned 1 [0086.495] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.496] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.496] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.496] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0086.496] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.496] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.497] CloseHandle (hObject=0x20c) returned 1 [0086.497] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.497] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.497] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.497] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0086.497] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.498] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.498] CloseHandle (hObject=0x20c) returned 1 [0086.498] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.498] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.499] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.499] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0086.499] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.499] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.499] CloseHandle (hObject=0x20c) returned 1 [0086.499] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.500] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.500] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.500] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0086.500] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.500] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.500] CloseHandle (hObject=0x20c) returned 1 [0086.500] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.501] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.501] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.501] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0086.501] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.501] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.501] CloseHandle (hObject=0x20c) returned 1 [0086.501] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0086.502] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.502] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.502] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0086.502] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0086.502] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0086.503] CloseHandle (hObject=0x20c) returned 1 [0086.503] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0086.503] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.503] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.503] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0086.503] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0086.504] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0086.504] CloseHandle (hObject=0x20c) returned 1 [0086.504] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0086.504] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.504] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.505] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0086.505] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0086.505] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0086.505] CloseHandle (hObject=0x20c) returned 1 [0086.506] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sihost.exe", cchWideChar=10, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sihost.exetsvc.exelient.exe", lpUsedDefaultChar=0x0) returned 10 [0086.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exelient.exe", lpUsedDefaultChar=0x0) returned 22 [0086.508] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.509] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.509] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.509] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0086.509] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.509] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.510] CloseHandle (hObject=0x20c) returned 1 [0086.511] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exesvc.exelient.exe", lpUsedDefaultChar=0x0) returned 11 [0086.513] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exelient.exe", lpUsedDefaultChar=0x0) returned 22 [0086.513] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0086.513] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.513] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.513] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0086.514] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0086.514] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0086.514] CloseHandle (hObject=0x20c) returned 1 [0086.515] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exec.exelient.exe", lpUsedDefaultChar=0x0) returned 13 [0086.517] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exelient.exe", lpUsedDefaultChar=0x0) returned 22 [0086.517] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0086.518] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.518] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.518] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0086.518] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0086.518] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101867c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0086.519] CloseHandle (hObject=0x20c) returned 1 [0086.520] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exevc.exelient.exe", lpUsedDefaultChar=0x0) returned 12 [0086.521] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0086.521] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.522] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.522] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0086.522] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0086.522] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0086.522] CloseHandle (hObject=0x20c) returned 1 [0086.523] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0086.523] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.523] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.523] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0086.523] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0086.524] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0086.524] CloseHandle (hObject=0x20c) returned 1 [0086.524] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0086.525] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.525] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.525] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0086.525] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0086.525] GetLastError () returned 0x1f [0086.525] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0086.525] CloseHandle (hObject=0x20c) returned 1 [0086.587] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0086.588] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.588] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0086.588] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0086.589] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0086.589] CloseHandle (hObject=0x20c) returned 1 [0086.589] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0086.589] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.590] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.590] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0086.590] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0086.590] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0086.590] CloseHandle (hObject=0x20c) returned 1 [0086.590] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0086.591] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.591] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.591] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0086.591] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0086.592] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0086.592] CloseHandle (hObject=0x20c) returned 1 [0086.592] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0086.593] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.593] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.593] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0086.593] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0086.594] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.594] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.594] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0086.594] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.595] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.595] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.595] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0086.595] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.595] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0086.595] CloseHandle (hObject=0x20c) returned 1 [0086.595] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0086.596] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.596] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.596] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0086.597] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0086.597] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0086.597] CloseHandle (hObject=0x20c) returned 1 [0086.597] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0086.598] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.598] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.598] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0086.598] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0086.599] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.599] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.599] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0086.599] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0086.600] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0086.600] CloseHandle (hObject=0x20c) returned 1 [0086.600] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0086.600] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0086.601] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0086.601] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0086.601] CloseHandle (hObject=0x20c) returned 1 [0086.601] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0086.602] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.602] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.602] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0086.602] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0086.603] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0086.603] CloseHandle (hObject=0x20c) returned 1 [0086.603] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0086.604] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.604] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.604] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0086.604] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0086.604] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0086.604] CloseHandle (hObject=0x20c) returned 1 [0086.604] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0086.605] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.605] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.605] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0086.605] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0086.606] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0086.606] CloseHandle (hObject=0x20c) returned 1 [0086.606] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0086.607] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.607] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.607] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0086.607] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0086.607] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0086.607] CloseHandle (hObject=0x20c) returned 1 [0086.607] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0086.608] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.608] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.608] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0086.608] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0086.608] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0086.609] CloseHandle (hObject=0x20c) returned 1 [0086.609] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0086.609] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.609] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.609] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0086.610] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0086.610] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0086.610] CloseHandle (hObject=0x20c) returned 1 [0086.610] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0086.611] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.611] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.611] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0086.611] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0086.611] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0086.611] CloseHandle (hObject=0x20c) returned 1 [0086.611] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0086.612] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.612] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.612] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0086.612] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0086.613] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0086.613] CloseHandle (hObject=0x20c) returned 1 [0086.613] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0086.614] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.614] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.615] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0086.615] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0086.615] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0086.615] CloseHandle (hObject=0x20c) returned 1 [0086.617] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="unlikely.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="unlikely.exevc.exexeturns.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0086.619] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exexeturns.exe.exe", lpUsedDefaultChar=0x0) returned 22 [0086.619] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0086.620] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.620] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.620] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0086.620] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0086.620] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0086.620] CloseHandle (hObject=0x20c) returned 1 [0086.622] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="cambodia_alan.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cambodia_alan.exeexeturns.exe.exe", lpUsedDefaultChar=0x0) returned 17 [0086.625] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exexeturns.exe.exe", lpUsedDefaultChar=0x0) returned 22 [0086.625] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0086.626] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.626] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.626] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0086.626] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0086.626] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0086.627] CloseHandle (hObject=0x20c) returned 1 [0086.629] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="powersellerauctions.exe", cchWideChar=23, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="powersellerauctions.exens.exe.exe", lpUsedDefaultChar=0x0) returned 23 [0086.688] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0086.689] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.689] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.689] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0086.689] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0086.689] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0086.690] CloseHandle (hObject=0x20c) returned 1 [0086.690] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0086.691] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.691] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.691] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0086.691] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0086.691] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0086.692] CloseHandle (hObject=0x20c) returned 1 [0086.692] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0086.693] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.693] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.693] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0086.693] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0086.693] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0086.694] CloseHandle (hObject=0x20c) returned 1 [0086.694] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0086.695] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.695] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.695] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0086.695] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0086.695] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0086.696] CloseHandle (hObject=0x20c) returned 1 [0086.696] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0086.697] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.697] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.697] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0086.697] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0086.697] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0086.698] CloseHandle (hObject=0x20c) returned 1 [0086.698] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0086.699] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.699] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.699] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0086.699] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0086.699] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0086.699] CloseHandle (hObject=0x20c) returned 1 [0086.700] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0086.701] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.701] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.701] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0086.701] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0086.701] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0086.701] CloseHandle (hObject=0x20c) returned 1 [0086.701] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0086.702] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.703] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.703] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0086.703] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0086.703] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0086.703] CloseHandle (hObject=0x20c) returned 1 [0086.703] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0086.705] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.705] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.705] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0086.705] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0086.705] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0086.705] CloseHandle (hObject=0x20c) returned 1 [0086.705] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0086.706] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.707] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.707] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0086.707] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0086.707] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0086.707] CloseHandle (hObject=0x20c) returned 1 [0086.707] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0086.709] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.709] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.709] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0086.709] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0086.709] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0086.709] CloseHandle (hObject=0x20c) returned 1 [0086.709] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0086.711] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.711] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.711] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0086.711] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0086.711] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0086.712] CloseHandle (hObject=0x20c) returned 1 [0086.712] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0086.714] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.714] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.714] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0086.714] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0086.714] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0086.714] CloseHandle (hObject=0x20c) returned 1 [0086.715] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0086.716] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.716] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.716] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0086.716] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0086.716] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0086.717] CloseHandle (hObject=0x20c) returned 1 [0086.717] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0086.718] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.718] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.718] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0086.718] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0086.719] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0086.719] CloseHandle (hObject=0x20c) returned 1 [0086.719] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0086.721] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.721] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.721] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0086.721] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0086.722] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0086.722] CloseHandle (hObject=0x20c) returned 1 [0086.722] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0086.723] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.723] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.723] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0086.723] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0086.723] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0086.908] CloseHandle (hObject=0x20c) returned 1 [0086.908] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0086.910] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.910] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.910] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0086.910] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0086.910] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0086.911] CloseHandle (hObject=0x20c) returned 1 [0086.912] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0086.913] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.913] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.913] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0086.914] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0086.914] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0086.914] CloseHandle (hObject=0x20c) returned 1 [0086.917] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gmailnotifierpro.exe", cchWideChar=20, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gmailnotifierpro.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 20 [0086.920] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 22 [0086.920] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0086.921] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.921] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.921] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0086.922] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0086.922] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0086.922] CloseHandle (hObject=0x20c) returned 1 [0086.923] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="icq.exe", cchWideChar=7, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="icq.exeagntsvc.exexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 7 [0086.926] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 22 [0086.926] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0086.928] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.928] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.928] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0086.928] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0086.928] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0086.929] CloseHandle (hObject=0x20c) returned 1 [0086.930] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="leechftp.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="leechftp.exevc.exexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0086.933] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 22 [0086.933] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0086.934] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.935] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.935] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0086.935] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0086.935] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0086.935] CloseHandle (hObject=0x20c) returned 1 [0086.937] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0086.938] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.938] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.938] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0086.938] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0086.939] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0086.939] CloseHandle (hObject=0x20c) returned 1 [0086.940] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0086.941] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0086.941] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0086.941] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0086.941] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0086.942] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0086.942] CloseHandle (hObject=0x20c) returned 1 [0086.942] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0087.000] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.000] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.001] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0087.001] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0087.001] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0087.001] CloseHandle (hObject=0x20c) returned 1 [0087.001] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0087.002] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.002] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.002] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0087.002] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0087.003] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0087.003] CloseHandle (hObject=0x20c) returned 1 [0087.003] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0087.004] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0087.004] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0087.004] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0087.004] CloseHandle (hObject=0x20c) returned 1 [0087.004] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0087.006] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.006] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.006] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0087.006] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0087.007] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0087.007] CloseHandle (hObject=0x20c) returned 1 [0087.007] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0087.008] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.008] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.008] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0087.008] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0087.008] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0087.008] CloseHandle (hObject=0x20c) returned 1 [0087.008] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0087.009] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.009] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.009] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0087.010] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0087.010] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0087.010] CloseHandle (hObject=0x20c) returned 1 [0087.010] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0087.011] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.011] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.011] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0087.011] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0087.011] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0087.011] CloseHandle (hObject=0x20c) returned 1 [0087.011] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0087.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0087.012] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0087.013] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0087.013] CloseHandle (hObject=0x20c) returned 1 [0087.013] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0087.014] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.014] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.014] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0087.014] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0087.014] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0087.014] CloseHandle (hObject=0x20c) returned 1 [0087.014] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0087.015] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.015] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.015] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0087.015] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0087.016] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0087.016] CloseHandle (hObject=0x20c) returned 1 [0087.016] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0087.017] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.017] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.017] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0087.017] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0087.017] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0087.017] CloseHandle (hObject=0x20c) returned 1 [0087.017] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0087.018] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.018] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.018] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0087.018] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0087.018] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0087.019] CloseHandle (hObject=0x20c) returned 1 [0087.019] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0087.020] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.020] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.020] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0087.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0087.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0087.020] CloseHandle (hObject=0x20c) returned 1 [0087.020] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0087.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.022] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.022] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0087.022] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0087.023] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0087.023] CloseHandle (hObject=0x20c) returned 1 [0087.023] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0087.024] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.024] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.024] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0087.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0087.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0087.024] CloseHandle (hObject=0x20c) returned 1 [0087.024] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0087.025] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.025] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.025] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0087.025] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0087.025] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0087.026] CloseHandle (hObject=0x20c) returned 1 [0087.026] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0087.027] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.027] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.027] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0087.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0087.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0087.027] CloseHandle (hObject=0x20c) returned 1 [0087.027] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0087.028] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.028] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.028] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0087.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0087.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0087.028] CloseHandle (hObject=0x20c) returned 1 [0087.029] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0087.029] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.029] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.029] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0087.030] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0087.030] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0087.030] CloseHandle (hObject=0x20c) returned 1 [0087.030] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0087.031] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.031] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.031] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0087.031] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0087.031] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0087.031] CloseHandle (hObject=0x20c) returned 1 [0087.031] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0087.032] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.032] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.032] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0087.032] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0087.033] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0087.033] CloseHandle (hObject=0x20c) returned 1 [0087.033] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0087.034] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.034] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.034] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0087.034] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0087.034] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0087.034] CloseHandle (hObject=0x20c) returned 1 [0087.034] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0087.035] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.035] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.035] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0087.035] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0087.035] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0087.035] CloseHandle (hObject=0x20c) returned 1 [0087.036] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0087.087] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.087] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.087] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0087.087] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0087.087] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0087.087] CloseHandle (hObject=0x20c) returned 1 [0087.087] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0087.088] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.088] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0087.089] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0087.089] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0087.089] CloseHandle (hObject=0x20c) returned 1 [0087.089] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0087.090] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.090] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0087.090] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0087.090] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0087.090] CloseHandle (hObject=0x20c) returned 1 [0087.090] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0087.091] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.091] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.091] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0087.091] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0087.092] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0087.092] CloseHandle (hObject=0x20c) returned 1 [0087.092] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0087.093] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.093] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.093] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0087.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0087.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0087.093] CloseHandle (hObject=0x20c) returned 1 [0087.093] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0087.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.094] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.094] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0087.094] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0087.094] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0087.095] CloseHandle (hObject=0x20c) returned 1 [0087.095] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0087.095] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.096] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.096] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0087.096] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0087.096] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0087.096] CloseHandle (hObject=0x20c) returned 1 [0087.096] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0087.097] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0087.097] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0087.097] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0087.098] CloseHandle (hObject=0x20c) returned 1 [0087.098] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0087.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.099] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0087.099] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0087.100] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0087.100] CloseHandle (hObject=0x20c) returned 1 [0087.100] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0087.101] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.101] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.101] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0087.101] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.101] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.101] CloseHandle (hObject=0x20c) returned 1 [0087.101] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0087.102] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c4) returned 0x0 [0087.102] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0087.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.103] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0087.103] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0087.103] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0087.104] CloseHandle (hObject=0x20c) returned 1 [0087.104] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0087.104] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0087.104] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.105] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.105] CloseHandle (hObject=0x20c) returned 1 [0087.105] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0087.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.106] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.106] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0087.106] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0087.106] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0087.106] CloseHandle (hObject=0x20c) returned 1 [0087.106] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0087.107] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.107] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.107] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0087.107] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0087.107] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0087.108] CloseHandle (hObject=0x20c) returned 1 [0087.108] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0087.108] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0087.109] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0087.109] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0087.109] CloseHandle (hObject=0x20c) returned 1 [0087.109] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0087.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.110] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.110] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0087.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0087.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0087.110] CloseHandle (hObject=0x20c) returned 1 [0087.110] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0087.111] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.111] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.111] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0087.111] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0087.112] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0087.112] CloseHandle (hObject=0x20c) returned 1 [0087.112] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0087.112] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0087.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0087.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0087.113] CloseHandle (hObject=0x20c) returned 1 [0087.113] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0087.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.114] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0087.114] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0087.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0087.115] CloseHandle (hObject=0x20c) returned 1 [0087.115] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0087.116] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.116] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.116] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0087.116] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0087.116] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0087.117] CloseHandle (hObject=0x20c) returned 1 [0087.117] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0087.117] CloseHandle (hObject=0x208) returned 1 [0087.118] Sleep (dwMilliseconds=0x1) [0087.165] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0087.165] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e24dc0, cbMultiByte=21, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="agntsvc.exeencsvc.exee") returned 21 [0087.168] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeencsvc.exe", cchWideChar=21, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeencsvc.exe", lpUsedDefaultChar=0x0) returned 21 [0087.168] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0087.169] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exevc.exeencsvc.exe", lpUsedDefaultChar=0x0) returned 9 [0087.169] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0087.242] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0087.243] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.243] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.243] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0087.246] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeencsvc.exe", cchWideChar=21, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeencsvc.exe4\x01\x01csrss.exevc.exeencsvc.exe", lpUsedDefaultChar=0x0) returned 21 [0087.246] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0087.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.247] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.247] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0087.247] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0087.247] GetLastError () returned 0x1f [0087.247] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0087.247] CloseHandle (hObject=0x20c) returned 1 [0087.256] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0087.257] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.257] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.257] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0087.257] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0087.258] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101867c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0087.258] CloseHandle (hObject=0x20c) returned 1 [0087.258] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0087.259] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.259] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.259] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0087.259] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0087.260] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.260] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.260] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0087.260] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0087.260] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0087.261] CloseHandle (hObject=0x20c) returned 1 [0087.261] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0087.262] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.262] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.262] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0087.262] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0087.263] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.263] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.263] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0087.263] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0087.263] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0087.263] CloseHandle (hObject=0x20c) returned 1 [0087.263] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0087.264] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.264] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.264] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0087.264] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0087.265] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0087.265] CloseHandle (hObject=0x20c) returned 1 [0087.265] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0087.266] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.266] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.266] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0087.266] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0087.266] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0087.267] CloseHandle (hObject=0x20c) returned 1 [0087.267] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.267] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.268] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.268] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0087.268] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.268] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.268] CloseHandle (hObject=0x20c) returned 1 [0087.268] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0087.269] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.269] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.269] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0087.269] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0087.270] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.270] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.321] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0087.321] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.322] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.322] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.322] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0087.323] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.323] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.323] CloseHandle (hObject=0x20c) returned 1 [0087.323] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0087.324] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.324] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.324] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0087.324] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.325] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.325] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.325] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0087.325] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.326] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.326] CloseHandle (hObject=0x20c) returned 1 [0087.326] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.327] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.327] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.327] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0087.327] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.327] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.328] CloseHandle (hObject=0x20c) returned 1 [0087.328] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.329] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.329] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.329] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0087.329] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.329] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.329] CloseHandle (hObject=0x20c) returned 1 [0087.329] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.330] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.330] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.330] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0087.330] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.331] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.331] CloseHandle (hObject=0x20c) returned 1 [0087.331] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.332] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.332] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.332] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0087.332] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.332] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.332] CloseHandle (hObject=0x20c) returned 1 [0087.333] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.334] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.334] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.334] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0087.334] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.334] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.335] CloseHandle (hObject=0x20c) returned 1 [0087.335] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.336] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.336] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.336] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0087.336] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.336] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.336] CloseHandle (hObject=0x20c) returned 1 [0087.336] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.337] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.337] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.337] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0087.337] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.338] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.338] CloseHandle (hObject=0x20c) returned 1 [0087.338] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.339] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.339] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.339] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0087.339] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.339] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.340] CloseHandle (hObject=0x20c) returned 1 [0087.340] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.340] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.341] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.341] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0087.341] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.341] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.341] CloseHandle (hObject=0x20c) returned 1 [0087.341] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.342] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.342] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.342] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0087.342] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.343] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.343] CloseHandle (hObject=0x20c) returned 1 [0087.343] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0087.344] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.344] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.344] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0087.344] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0087.344] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0087.344] CloseHandle (hObject=0x20c) returned 1 [0087.345] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0087.345] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.345] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.346] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0087.346] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0087.346] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0087.346] CloseHandle (hObject=0x20c) returned 1 [0087.346] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0087.347] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.347] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.347] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0087.347] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0087.348] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0087.348] CloseHandle (hObject=0x20c) returned 1 [0087.348] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.349] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.349] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.349] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0087.349] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.350] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.350] CloseHandle (hObject=0x20c) returned 1 [0087.350] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0087.351] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.351] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.351] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0087.351] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.351] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.351] CloseHandle (hObject=0x20c) returned 1 [0087.351] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0087.352] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.352] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.352] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0087.352] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0087.353] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0087.353] CloseHandle (hObject=0x20c) returned 1 [0087.353] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0087.354] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.354] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.354] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0087.354] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0087.354] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0087.355] CloseHandle (hObject=0x20c) returned 1 [0087.355] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0087.355] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.356] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.356] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0087.356] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0087.357] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0087.357] CloseHandle (hObject=0x20c) returned 1 [0087.357] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0087.358] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.358] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.358] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0087.358] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0087.358] GetLastError () returned 0x1f [0087.358] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0087.358] CloseHandle (hObject=0x20c) returned 1 [0087.449] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0087.450] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.450] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0087.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0087.451] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0087.451] CloseHandle (hObject=0x20c) returned 1 [0087.451] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0087.452] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.452] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.452] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0087.452] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0087.452] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0087.453] CloseHandle (hObject=0x20c) returned 1 [0087.453] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0087.453] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.454] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.454] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0087.454] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0087.454] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0087.454] CloseHandle (hObject=0x20c) returned 1 [0087.454] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0087.455] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.455] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.455] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0087.455] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0087.456] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.456] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.456] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0087.456] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.457] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.457] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.457] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0087.457] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.458] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0087.458] CloseHandle (hObject=0x20c) returned 1 [0087.459] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0087.459] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.459] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.459] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0087.460] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0087.460] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0087.460] CloseHandle (hObject=0x20c) returned 1 [0087.460] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0087.461] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.461] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.461] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0087.461] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0087.462] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.462] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.462] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0087.462] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0087.462] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0087.463] CloseHandle (hObject=0x20c) returned 1 [0087.463] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0087.464] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.464] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.464] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0087.464] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0087.464] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0087.464] CloseHandle (hObject=0x20c) returned 1 [0087.464] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0087.465] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.465] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.465] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0087.465] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0087.466] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0087.466] CloseHandle (hObject=0x20c) returned 1 [0087.466] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0087.467] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.467] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.467] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0087.467] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0087.467] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0087.467] CloseHandle (hObject=0x20c) returned 1 [0087.467] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0087.468] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.468] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.468] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0087.468] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0087.469] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0087.469] CloseHandle (hObject=0x20c) returned 1 [0087.469] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0087.470] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.470] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.470] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0087.470] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0087.470] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0087.471] CloseHandle (hObject=0x20c) returned 1 [0087.471] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0087.471] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.472] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.472] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0087.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0087.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0087.472] CloseHandle (hObject=0x20c) returned 1 [0087.472] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0087.473] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.473] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.473] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0087.473] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0087.572] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0087.573] CloseHandle (hObject=0x20c) returned 1 [0087.573] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0087.574] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.574] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.574] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0087.574] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0087.574] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0087.574] CloseHandle (hObject=0x20c) returned 1 [0087.574] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0087.575] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.575] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0087.575] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0087.576] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0087.576] CloseHandle (hObject=0x20c) returned 1 [0087.576] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0087.577] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.577] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.577] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0087.577] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0087.577] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0087.578] CloseHandle (hObject=0x20c) returned 1 [0087.578] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0087.579] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.579] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.579] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0087.579] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0087.579] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0087.579] CloseHandle (hObject=0x20c) returned 1 [0087.579] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0087.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0087.580] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0087.581] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0087.581] CloseHandle (hObject=0x20c) returned 1 [0087.581] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0087.582] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.582] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.582] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0087.582] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0087.582] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0087.583] CloseHandle (hObject=0x20c) returned 1 [0087.583] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0087.584] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.584] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.584] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0087.584] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0087.584] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0087.585] CloseHandle (hObject=0x20c) returned 1 [0087.585] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0087.585] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.586] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.586] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0087.586] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0087.586] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0087.586] CloseHandle (hObject=0x20c) returned 1 [0087.586] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0087.588] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.588] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0087.588] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0087.588] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0087.588] CloseHandle (hObject=0x20c) returned 1 [0087.588] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0087.590] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.590] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.590] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0087.590] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0087.590] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0087.591] CloseHandle (hObject=0x20c) returned 1 [0087.591] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0087.592] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.592] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.592] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0087.592] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0087.592] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0087.593] CloseHandle (hObject=0x20c) returned 1 [0087.593] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0087.594] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.594] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.594] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0087.594] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0087.595] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0087.595] CloseHandle (hObject=0x20c) returned 1 [0087.595] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0087.596] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.596] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.596] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0087.596] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0087.597] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0087.597] CloseHandle (hObject=0x20c) returned 1 [0087.597] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0087.598] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.598] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.599] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0087.599] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0087.599] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0087.600] CloseHandle (hObject=0x20c) returned 1 [0087.600] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0087.601] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0087.601] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0087.602] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0087.602] CloseHandle (hObject=0x20c) returned 1 [0087.602] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0087.603] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.603] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.603] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0087.603] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0087.604] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0087.604] CloseHandle (hObject=0x20c) returned 1 [0087.604] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0087.605] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.605] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.605] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0087.606] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0087.606] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0087.606] CloseHandle (hObject=0x20c) returned 1 [0087.606] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0087.607] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.607] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.608] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0087.608] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0087.608] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0087.608] CloseHandle (hObject=0x20c) returned 1 [0087.608] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0087.609] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.610] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.610] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0087.610] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0087.610] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0087.610] CloseHandle (hObject=0x20c) returned 1 [0087.610] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0087.612] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.612] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.612] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0087.612] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0087.612] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0087.612] CloseHandle (hObject=0x20c) returned 1 [0087.612] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0087.614] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.614] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.614] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0087.614] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0087.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0087.666] CloseHandle (hObject=0x20c) returned 1 [0087.666] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0087.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.667] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.667] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0087.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0087.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0087.668] CloseHandle (hObject=0x20c) returned 1 [0087.668] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0087.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.670] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.670] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0087.670] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0087.670] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0087.670] CloseHandle (hObject=0x20c) returned 1 [0087.670] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0087.672] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.672] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.672] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0087.672] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0087.672] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0087.672] CloseHandle (hObject=0x20c) returned 1 [0087.672] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0087.674] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0087.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0087.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0087.674] CloseHandle (hObject=0x20c) returned 1 [0087.674] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0087.676] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.676] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.676] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0087.676] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0087.676] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0087.676] CloseHandle (hObject=0x20c) returned 1 [0087.677] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0087.678] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.678] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.678] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0087.679] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0087.679] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0087.679] CloseHandle (hObject=0x20c) returned 1 [0087.679] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0087.680] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.680] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.680] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0087.681] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0087.681] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0087.681] CloseHandle (hObject=0x20c) returned 1 [0087.681] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0087.682] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.683] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.683] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0087.683] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0087.683] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0087.683] CloseHandle (hObject=0x20c) returned 1 [0087.683] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0087.684] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.685] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.685] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0087.685] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0087.685] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0087.685] CloseHandle (hObject=0x20c) returned 1 [0087.685] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0087.686] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.687] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.687] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0087.687] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0087.687] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0087.687] CloseHandle (hObject=0x20c) returned 1 [0087.687] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0087.688] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.689] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.689] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0087.689] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0087.689] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0087.689] CloseHandle (hObject=0x20c) returned 1 [0087.689] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0087.690] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.691] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.691] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0087.691] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0087.691] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0087.691] CloseHandle (hObject=0x20c) returned 1 [0087.691] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0087.693] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.693] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.693] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0087.693] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0087.693] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0087.694] CloseHandle (hObject=0x20c) returned 1 [0087.694] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0087.695] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.695] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.695] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0087.695] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0087.695] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0087.696] CloseHandle (hObject=0x20c) returned 1 [0087.696] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0087.697] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.697] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.697] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0087.697] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0087.697] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0087.698] CloseHandle (hObject=0x20c) returned 1 [0087.698] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0087.699] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.699] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.699] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0087.699] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0087.699] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0087.699] CloseHandle (hObject=0x20c) returned 1 [0087.700] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0087.701] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.701] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.701] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0087.701] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0087.701] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0087.701] CloseHandle (hObject=0x20c) returned 1 [0087.702] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0087.703] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.703] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.703] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0087.703] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0087.703] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0087.703] CloseHandle (hObject=0x20c) returned 1 [0087.704] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0087.705] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.705] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.705] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0087.705] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0087.705] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0087.705] CloseHandle (hObject=0x20c) returned 1 [0087.705] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0087.707] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.707] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.707] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0087.707] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0087.707] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0087.707] CloseHandle (hObject=0x20c) returned 1 [0087.707] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0087.769] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.769] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.769] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0087.769] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0087.769] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0087.770] CloseHandle (hObject=0x20c) returned 1 [0087.770] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0087.771] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.771] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.771] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0087.771] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0087.772] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0087.772] CloseHandle (hObject=0x20c) returned 1 [0087.772] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0087.773] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.773] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.773] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0087.773] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0087.774] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0087.774] CloseHandle (hObject=0x20c) returned 1 [0087.774] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0087.775] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.775] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.775] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0087.775] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0087.776] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0087.776] CloseHandle (hObject=0x20c) returned 1 [0087.776] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0087.777] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.777] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.777] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0087.777] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0087.778] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0087.778] CloseHandle (hObject=0x20c) returned 1 [0087.778] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0087.779] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.779] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.779] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0087.779] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0087.779] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0087.780] CloseHandle (hObject=0x20c) returned 1 [0087.780] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0087.781] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.781] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.781] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0087.781] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0087.781] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0087.782] CloseHandle (hObject=0x20c) returned 1 [0087.782] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0087.783] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.783] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.783] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0087.783] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0087.783] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0087.783] CloseHandle (hObject=0x20c) returned 1 [0087.783] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0087.784] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.785] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.785] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0087.785] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0087.785] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0087.785] CloseHandle (hObject=0x20c) returned 1 [0087.785] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0087.787] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.787] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.787] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0087.787] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0087.787] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0087.788] CloseHandle (hObject=0x20c) returned 1 [0087.788] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0087.789] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.789] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.789] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0087.789] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0087.789] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0087.789] CloseHandle (hObject=0x20c) returned 1 [0087.790] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0087.791] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.791] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.791] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0087.791] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0087.791] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0087.791] CloseHandle (hObject=0x20c) returned 1 [0087.791] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0087.792] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.793] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.793] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0087.793] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0087.793] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0087.793] CloseHandle (hObject=0x20c) returned 1 [0087.793] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0087.794] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.794] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.794] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0087.794] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0087.795] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0087.795] CloseHandle (hObject=0x20c) returned 1 [0087.795] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0087.796] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.796] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.796] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0087.796] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0087.797] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0087.797] CloseHandle (hObject=0x20c) returned 1 [0087.797] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0087.798] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.798] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.798] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0087.798] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0087.798] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0087.799] CloseHandle (hObject=0x20c) returned 1 [0087.799] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0087.800] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.800] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.800] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0087.800] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0087.800] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0087.800] CloseHandle (hObject=0x20c) returned 1 [0087.801] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0087.801] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.884] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.885] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0087.885] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0087.885] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0087.885] CloseHandle (hObject=0x20c) returned 1 [0087.885] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0087.886] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.886] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.886] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0087.886] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0087.887] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0087.887] CloseHandle (hObject=0x20c) returned 1 [0087.887] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0087.888] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.888] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.888] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0087.888] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0087.888] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0087.888] CloseHandle (hObject=0x20c) returned 1 [0087.888] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0087.889] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.889] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.889] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0087.889] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.890] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.890] CloseHandle (hObject=0x20c) returned 1 [0087.890] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0087.891] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.891] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.891] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0087.891] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0087.891] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0087.891] CloseHandle (hObject=0x20c) returned 1 [0087.891] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0087.892] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.892] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.892] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0087.892] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.892] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0087.893] CloseHandle (hObject=0x20c) returned 1 [0087.893] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0087.893] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.894] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.894] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0087.894] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0087.894] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0087.894] CloseHandle (hObject=0x20c) returned 1 [0087.894] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0087.895] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.895] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.895] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0087.895] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0087.895] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0087.896] CloseHandle (hObject=0x20c) returned 1 [0087.896] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0087.896] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.897] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.897] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0087.897] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0087.897] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0087.897] CloseHandle (hObject=0x20c) returned 1 [0087.897] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0087.898] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.898] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.898] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0087.898] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0087.898] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0087.899] CloseHandle (hObject=0x20c) returned 1 [0087.899] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0087.899] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.899] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.899] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0087.899] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0087.900] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f74c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0087.900] CloseHandle (hObject=0x20c) returned 1 [0087.900] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0087.900] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.901] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.901] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0087.901] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0087.901] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0087.901] CloseHandle (hObject=0x20c) returned 1 [0087.901] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0087.902] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.902] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.902] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0087.902] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0087.902] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0087.902] CloseHandle (hObject=0x20c) returned 1 [0087.902] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0087.903] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.903] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.903] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0087.903] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0087.903] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0087.904] CloseHandle (hObject=0x20c) returned 1 [0087.904] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0087.904] CloseHandle (hObject=0x208) returned 1 [0087.904] Sleep (dwMilliseconds=0x1) [0087.950] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0087.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e24de8, cbMultiByte=26, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="agntsvc.exeisqlplussvc.exe") returned 26 [0087.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeisqlplussvc.exe", cchWideChar=26, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeisqlplussvc.exe?a", lpUsedDefaultChar=0x0) returned 26 [0087.953] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0087.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exevc.exeisqlplussvc.exe?a", lpUsedDefaultChar=0x0) returned 9 [0087.954] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0087.969] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0087.970] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0087.970] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0087.970] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0087.973] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeisqlplussvc.exe", cchWideChar=26, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeisqlplussvc.exerss.exevc.exeisqlplussvc.exe?a", lpUsedDefaultChar=0x0) returned 26 [0087.973] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0088.142] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.142] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.142] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0088.142] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0088.143] GetLastError () returned 0x1f [0088.143] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0088.143] CloseHandle (hObject=0x20c) returned 1 [0088.151] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0088.152] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.152] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.152] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0088.153] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0088.153] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0088.153] CloseHandle (hObject=0x20c) returned 1 [0088.153] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.154] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.154] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.154] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0088.155] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0088.155] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.156] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.156] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0088.156] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0088.156] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0088.156] CloseHandle (hObject=0x20c) returned 1 [0088.156] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.157] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.157] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.157] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0088.158] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0088.158] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.159] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.159] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0088.159] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0088.159] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0088.159] CloseHandle (hObject=0x20c) returned 1 [0088.159] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0088.160] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.160] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.160] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0088.161] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0088.161] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0088.161] CloseHandle (hObject=0x20c) returned 1 [0088.162] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0088.162] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.163] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.163] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0088.163] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0088.163] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0088.163] CloseHandle (hObject=0x20c) returned 1 [0088.163] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.164] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.164] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.164] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0088.165] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.165] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.165] CloseHandle (hObject=0x20c) returned 1 [0088.165] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0088.166] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.166] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.166] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0088.166] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0088.167] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.167] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.167] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0088.167] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.168] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.168] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.168] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0088.169] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.169] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.169] CloseHandle (hObject=0x20c) returned 1 [0088.169] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0088.170] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.170] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.170] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0088.170] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.171] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.171] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.171] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0088.171] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.172] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.172] CloseHandle (hObject=0x20c) returned 1 [0088.172] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.173] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.173] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.173] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0088.173] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.174] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.174] CloseHandle (hObject=0x20c) returned 1 [0088.174] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.175] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.175] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.175] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0088.175] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.175] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.176] CloseHandle (hObject=0x20c) returned 1 [0088.176] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.177] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.229] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.229] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0088.229] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.230] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.230] CloseHandle (hObject=0x20c) returned 1 [0088.230] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.231] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.231] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.231] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0088.231] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.231] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.232] CloseHandle (hObject=0x20c) returned 1 [0088.232] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.233] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.233] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.233] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0088.233] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.233] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.233] CloseHandle (hObject=0x20c) returned 1 [0088.234] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.234] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.235] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.235] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0088.235] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.235] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.235] CloseHandle (hObject=0x20c) returned 1 [0088.235] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.236] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.236] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.236] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0088.236] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.237] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.237] CloseHandle (hObject=0x20c) returned 1 [0088.237] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.238] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.238] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.238] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0088.238] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.239] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.239] CloseHandle (hObject=0x20c) returned 1 [0088.239] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.241] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.241] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0088.241] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.241] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.241] CloseHandle (hObject=0x20c) returned 1 [0088.241] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.242] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.242] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.242] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0088.242] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.243] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.243] CloseHandle (hObject=0x20c) returned 1 [0088.243] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0088.244] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.244] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.244] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0088.244] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0088.244] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0088.245] CloseHandle (hObject=0x20c) returned 1 [0088.245] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0088.246] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.246] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0088.246] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0088.246] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0088.246] CloseHandle (hObject=0x20c) returned 1 [0088.246] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0088.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.247] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.247] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0088.248] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0088.248] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0088.248] CloseHandle (hObject=0x20c) returned 1 [0088.248] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.249] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.249] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.249] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0088.249] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.250] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.250] CloseHandle (hObject=0x20c) returned 1 [0088.250] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0088.251] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.251] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.251] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0088.251] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0088.251] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0088.252] CloseHandle (hObject=0x20c) returned 1 [0088.252] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0088.253] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.253] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.253] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0088.253] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0088.253] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0088.253] CloseHandle (hObject=0x20c) returned 1 [0088.253] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0088.254] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.254] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.254] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0088.255] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0088.255] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0088.255] CloseHandle (hObject=0x20c) returned 1 [0088.256] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0088.256] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.257] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.257] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0088.257] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0088.257] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0088.257] CloseHandle (hObject=0x20c) returned 1 [0088.257] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0088.258] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.258] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.258] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0088.258] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0088.259] GetLastError () returned 0x1f [0088.259] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0088.259] CloseHandle (hObject=0x20c) returned 1 [0088.338] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0088.339] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.339] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.339] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0088.339] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0088.340] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0088.340] CloseHandle (hObject=0x20c) returned 1 [0088.340] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0088.341] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.341] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.341] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0088.341] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0088.341] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0088.342] CloseHandle (hObject=0x20c) returned 1 [0088.342] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0088.342] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.343] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.343] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0088.343] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0088.343] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0088.343] CloseHandle (hObject=0x20c) returned 1 [0088.343] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0088.344] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.344] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.344] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0088.344] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0088.345] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.345] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.345] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0088.345] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.346] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.346] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.346] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0088.346] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.346] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.347] CloseHandle (hObject=0x20c) returned 1 [0088.347] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0088.347] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.348] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.348] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0088.348] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0088.348] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0088.348] CloseHandle (hObject=0x20c) returned 1 [0088.348] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0088.349] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.349] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.349] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0088.349] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0088.350] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.350] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.350] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0088.350] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0088.350] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0088.351] CloseHandle (hObject=0x20c) returned 1 [0088.351] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0088.351] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.351] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.351] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0088.351] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0088.352] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0088.352] CloseHandle (hObject=0x20c) returned 1 [0088.352] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0088.352] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.353] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.353] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0088.353] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0088.353] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0088.353] CloseHandle (hObject=0x20c) returned 1 [0088.353] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0088.354] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.354] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.354] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0088.354] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0088.354] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0088.354] CloseHandle (hObject=0x20c) returned 1 [0088.354] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0088.355] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.355] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.355] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0088.355] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0088.355] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0088.355] CloseHandle (hObject=0x20c) returned 1 [0088.356] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0088.356] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.356] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.356] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0088.356] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0088.357] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0088.357] CloseHandle (hObject=0x20c) returned 1 [0088.357] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0088.357] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.357] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.357] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0088.358] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0088.358] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0088.358] CloseHandle (hObject=0x20c) returned 1 [0088.358] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0088.359] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.359] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.359] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0088.359] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0088.359] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0088.359] CloseHandle (hObject=0x20c) returned 1 [0088.359] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0088.360] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.360] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.360] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0088.360] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0088.360] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0088.361] CloseHandle (hObject=0x20c) returned 1 [0088.361] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0088.361] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.362] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.362] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0088.362] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0088.362] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0088.362] CloseHandle (hObject=0x20c) returned 1 [0088.362] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0088.363] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.363] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.363] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0088.363] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0088.363] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0088.363] CloseHandle (hObject=0x20c) returned 1 [0088.363] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0088.364] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.364] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.364] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0088.364] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0088.364] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0088.365] CloseHandle (hObject=0x20c) returned 1 [0088.365] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0088.365] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.365] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.365] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0088.365] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0088.366] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0088.366] CloseHandle (hObject=0x20c) returned 1 [0088.366] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0088.367] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.367] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.367] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0088.367] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0088.367] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0088.367] CloseHandle (hObject=0x20c) returned 1 [0088.367] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0088.368] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.368] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.369] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0088.369] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0088.369] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0088.369] CloseHandle (hObject=0x20c) returned 1 [0088.369] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0088.370] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.370] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.370] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0088.370] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0088.370] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0088.370] CloseHandle (hObject=0x20c) returned 1 [0088.370] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0088.371] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.371] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.372] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0088.372] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0088.372] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0088.372] CloseHandle (hObject=0x20c) returned 1 [0088.372] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0088.373] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.373] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.373] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0088.373] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0088.373] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0088.374] CloseHandle (hObject=0x20c) returned 1 [0088.374] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0088.375] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.375] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.375] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0088.375] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0088.375] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0088.375] CloseHandle (hObject=0x20c) returned 1 [0088.375] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0088.376] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.376] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.376] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0088.376] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0088.376] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0088.377] CloseHandle (hObject=0x20c) returned 1 [0088.377] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0088.378] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.378] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.378] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0088.378] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0088.378] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0088.378] CloseHandle (hObject=0x20c) returned 1 [0088.378] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0088.379] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.379] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.379] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0088.379] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0088.432] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0088.433] CloseHandle (hObject=0x20c) returned 1 [0088.433] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0088.434] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.434] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.434] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0088.434] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0088.434] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0088.434] CloseHandle (hObject=0x20c) returned 1 [0088.434] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0088.435] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.435] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.435] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0088.436] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0088.436] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0088.436] CloseHandle (hObject=0x20c) returned 1 [0088.436] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0088.437] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.437] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.437] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0088.437] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0088.437] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0088.437] CloseHandle (hObject=0x20c) returned 1 [0088.438] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0088.439] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.439] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0088.439] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0088.439] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0088.439] CloseHandle (hObject=0x20c) returned 1 [0088.439] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0088.441] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.441] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.441] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0088.441] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0088.441] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0088.441] CloseHandle (hObject=0x20c) returned 1 [0088.441] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0088.444] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.444] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.444] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0088.444] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0088.444] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0088.444] CloseHandle (hObject=0x20c) returned 1 [0088.444] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0088.445] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.445] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.445] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0088.445] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0088.446] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0088.446] CloseHandle (hObject=0x20c) returned 1 [0088.446] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0088.447] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.447] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.447] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0088.447] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0088.447] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0088.447] CloseHandle (hObject=0x20c) returned 1 [0088.447] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0088.448] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.449] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.449] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0088.449] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0088.449] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0088.449] CloseHandle (hObject=0x20c) returned 1 [0088.449] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0088.450] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.450] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0088.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0088.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0088.451] CloseHandle (hObject=0x20c) returned 1 [0088.451] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0088.452] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.452] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.452] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0088.452] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0088.452] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0088.452] CloseHandle (hObject=0x20c) returned 1 [0088.452] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0088.453] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.453] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.453] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0088.453] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0088.454] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0088.454] CloseHandle (hObject=0x20c) returned 1 [0088.454] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0088.455] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.455] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.455] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0088.455] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0088.456] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0088.456] CloseHandle (hObject=0x20c) returned 1 [0088.456] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0088.457] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.457] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.457] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0088.457] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0088.457] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0088.457] CloseHandle (hObject=0x20c) returned 1 [0088.457] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0088.459] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.459] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.459] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0088.459] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0088.459] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0088.459] CloseHandle (hObject=0x20c) returned 1 [0088.460] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0088.460] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.461] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.461] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0088.461] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0088.461] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0088.461] CloseHandle (hObject=0x20c) returned 1 [0088.461] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0088.462] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.462] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.462] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0088.462] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0088.462] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0088.463] CloseHandle (hObject=0x20c) returned 1 [0088.463] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0088.463] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.464] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.464] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0088.464] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0088.464] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0088.464] CloseHandle (hObject=0x20c) returned 1 [0088.464] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0088.465] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.465] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.465] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0088.465] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0088.465] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0088.465] CloseHandle (hObject=0x20c) returned 1 [0088.466] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0088.466] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.466] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.466] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0088.467] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0088.467] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0088.467] CloseHandle (hObject=0x20c) returned 1 [0088.467] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0088.468] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.468] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.468] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0088.468] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0088.468] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0088.469] CloseHandle (hObject=0x20c) returned 1 [0088.469] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0088.470] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.470] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.470] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0088.470] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0088.470] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0088.470] CloseHandle (hObject=0x20c) returned 1 [0088.470] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0088.471] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.471] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.471] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0088.471] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0088.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0088.472] CloseHandle (hObject=0x20c) returned 1 [0088.472] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0088.473] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.473] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.473] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0088.473] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0088.474] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0088.474] CloseHandle (hObject=0x20c) returned 1 [0088.474] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0088.475] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.475] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.475] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0088.475] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0088.532] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0088.532] CloseHandle (hObject=0x20c) returned 1 [0088.532] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0088.533] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.534] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.534] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0088.534] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0088.534] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0088.534] CloseHandle (hObject=0x20c) returned 1 [0088.534] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0088.535] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.535] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0088.536] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0088.536] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0088.536] CloseHandle (hObject=0x20c) returned 1 [0088.536] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0088.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0088.538] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0088.538] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0088.538] CloseHandle (hObject=0x20c) returned 1 [0088.538] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0088.539] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.540] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.540] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0088.540] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0088.540] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0088.540] CloseHandle (hObject=0x20c) returned 1 [0088.540] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0088.541] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.541] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.541] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0088.542] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0088.542] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0088.542] CloseHandle (hObject=0x20c) returned 1 [0088.542] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0088.543] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.543] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.543] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0088.543] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0088.544] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0088.544] CloseHandle (hObject=0x20c) returned 1 [0088.544] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0088.545] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.545] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.545] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0088.545] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0088.546] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0088.546] CloseHandle (hObject=0x20c) returned 1 [0088.546] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0088.547] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.547] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.547] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0088.547] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0088.547] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0088.548] CloseHandle (hObject=0x20c) returned 1 [0088.548] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0088.549] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.549] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.549] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0088.549] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0088.549] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0088.549] CloseHandle (hObject=0x20c) returned 1 [0088.550] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0088.551] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.551] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.551] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0088.551] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0088.551] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0088.551] CloseHandle (hObject=0x20c) returned 1 [0088.551] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0088.554] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.554] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.554] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0088.554] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0088.555] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0088.555] CloseHandle (hObject=0x20c) returned 1 [0088.555] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0088.556] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.556] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.556] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0088.556] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0088.557] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0088.557] CloseHandle (hObject=0x20c) returned 1 [0088.557] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0088.558] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.558] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.558] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0088.558] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0088.558] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0088.559] CloseHandle (hObject=0x20c) returned 1 [0088.559] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0088.560] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.560] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.560] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0088.560] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0088.560] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0088.560] CloseHandle (hObject=0x20c) returned 1 [0088.561] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0088.562] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.562] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.562] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0088.562] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0088.562] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0088.562] CloseHandle (hObject=0x20c) returned 1 [0088.562] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0088.563] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.563] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.563] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0088.564] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0088.564] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0088.564] CloseHandle (hObject=0x20c) returned 1 [0088.564] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0088.565] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.565] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.565] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0088.565] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0088.566] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0088.566] CloseHandle (hObject=0x20c) returned 1 [0088.566] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0088.567] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.567] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.567] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0088.567] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0088.567] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0088.568] CloseHandle (hObject=0x20c) returned 1 [0088.568] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0088.665] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.665] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.665] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0088.665] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0088.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0088.666] CloseHandle (hObject=0x20c) returned 1 [0088.666] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0088.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.667] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.667] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0088.667] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0088.667] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0088.667] CloseHandle (hObject=0x20c) returned 1 [0088.667] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0088.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0088.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0088.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0088.669] CloseHandle (hObject=0x20c) returned 1 [0088.669] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0088.670] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.670] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.670] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0088.670] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0088.671] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0088.671] CloseHandle (hObject=0x20c) returned 1 [0088.671] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0088.672] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.672] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.672] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0088.672] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0088.672] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0088.673] CloseHandle (hObject=0x20c) returned 1 [0088.673] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0088.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0088.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0088.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0088.674] CloseHandle (hObject=0x20c) returned 1 [0088.674] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0088.675] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.675] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.675] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0088.675] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0088.675] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0088.675] CloseHandle (hObject=0x20c) returned 1 [0088.675] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0088.676] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.676] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.676] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0088.676] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0088.677] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0088.677] CloseHandle (hObject=0x20c) returned 1 [0088.677] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0088.678] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.678] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.678] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0088.678] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0088.678] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0088.678] CloseHandle (hObject=0x20c) returned 1 [0088.678] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0088.679] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.679] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.679] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0088.679] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0088.680] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0088.680] CloseHandle (hObject=0x20c) returned 1 [0088.680] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0088.681] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.681] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.681] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0088.681] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0088.681] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0088.681] CloseHandle (hObject=0x20c) returned 1 [0088.681] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0088.682] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.682] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.682] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0088.682] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0088.683] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0088.683] CloseHandle (hObject=0x20c) returned 1 [0088.683] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0088.684] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.684] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.684] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0088.684] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0088.684] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0088.684] CloseHandle (hObject=0x20c) returned 1 [0088.685] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.685] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.685] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.686] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0088.686] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0088.686] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0088.686] CloseHandle (hObject=0x20c) returned 1 [0088.686] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0088.687] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.687] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.687] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0088.687] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0088.687] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0088.688] CloseHandle (hObject=0x20c) returned 1 [0088.688] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0088.688] CloseHandle (hObject=0x208) returned 1 [0088.689] Sleep (dwMilliseconds=0x1) [0088.743] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0088.743] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e49768, cbMultiByte=9, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="anvir.exexeisqlplussvc.exe") returned 9 [0088.744] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exe", lpUsedDefaultChar=0x0) returned 9 [0088.744] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0088.745] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe.exe", lpUsedDefaultChar=0x0) returned 9 [0088.745] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0088.820] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.821] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.821] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.821] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0088.822] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exe", lpUsedDefaultChar=0x0) returned 9 [0088.822] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0088.823] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.823] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.823] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0088.823] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0088.823] GetLastError () returned 0x1f [0088.823] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0088.823] CloseHandle (hObject=0x20c) returned 1 [0088.881] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0088.882] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.882] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.882] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0088.882] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0088.882] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0088.883] CloseHandle (hObject=0x20c) returned 1 [0088.883] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.883] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.884] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.884] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0088.884] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0088.884] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.885] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.885] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0088.885] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0088.885] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0088.885] CloseHandle (hObject=0x20c) returned 1 [0088.885] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.886] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.886] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.886] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0088.887] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0088.887] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.887] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.887] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0088.888] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0088.888] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0088.888] CloseHandle (hObject=0x20c) returned 1 [0088.888] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0088.889] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.889] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.889] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0088.889] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0088.889] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0088.890] CloseHandle (hObject=0x20c) returned 1 [0088.890] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0088.890] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.891] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.891] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0088.891] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0088.891] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0088.891] CloseHandle (hObject=0x20c) returned 1 [0088.891] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.892] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.892] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.892] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0088.892] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.893] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.893] CloseHandle (hObject=0x20c) returned 1 [0088.893] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0088.894] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.894] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.894] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0088.894] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0088.895] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.895] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.895] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0088.895] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.968] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.969] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.969] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0088.969] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.970] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.970] CloseHandle (hObject=0x20c) returned 1 [0088.970] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0088.971] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.971] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.971] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0088.971] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.972] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.972] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.972] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0088.972] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.972] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.973] CloseHandle (hObject=0x20c) returned 1 [0088.973] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.973] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.974] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.974] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0088.974] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.974] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.975] CloseHandle (hObject=0x20c) returned 1 [0088.975] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.975] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.976] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.976] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0088.976] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.976] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.976] CloseHandle (hObject=0x20c) returned 1 [0088.976] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.977] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.977] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.977] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0088.977] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.978] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.978] CloseHandle (hObject=0x20c) returned 1 [0088.978] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.979] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.979] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.979] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0088.979] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.979] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.979] CloseHandle (hObject=0x20c) returned 1 [0088.979] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.980] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.980] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.980] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0088.980] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.980] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.980] CloseHandle (hObject=0x20c) returned 1 [0088.981] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.981] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.981] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.981] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0088.981] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.982] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.982] CloseHandle (hObject=0x20c) returned 1 [0088.982] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.983] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.983] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.983] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0088.983] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.983] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.984] CloseHandle (hObject=0x20c) returned 1 [0088.984] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.984] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.985] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.985] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0088.985] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.985] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.985] CloseHandle (hObject=0x20c) returned 1 [0088.985] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.986] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.986] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.986] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0088.986] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.987] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.987] CloseHandle (hObject=0x20c) returned 1 [0088.987] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.988] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.988] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.988] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0088.988] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.988] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.988] CloseHandle (hObject=0x20c) returned 1 [0088.988] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0088.990] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.990] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.990] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0088.990] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0088.990] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0088.991] CloseHandle (hObject=0x20c) returned 1 [0088.991] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0088.992] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.992] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.992] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0088.992] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0088.992] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0088.992] CloseHandle (hObject=0x20c) returned 1 [0088.992] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0088.993] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.993] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.993] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0088.993] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0088.994] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0088.994] CloseHandle (hObject=0x20c) returned 1 [0088.994] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.995] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.995] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.995] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0088.995] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.995] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0088.995] CloseHandle (hObject=0x20c) returned 1 [0088.995] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0088.996] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.996] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.996] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0088.996] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0088.997] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0088.997] CloseHandle (hObject=0x20c) returned 1 [0088.997] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0088.998] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0088.998] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0088.998] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0088.998] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0088.998] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0088.999] CloseHandle (hObject=0x20c) returned 1 [0088.999] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0088.999] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.000] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.000] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0089.000] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0089.000] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0089.000] CloseHandle (hObject=0x20c) returned 1 [0089.000] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0089.001] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.001] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.001] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0089.001] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0089.001] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0089.002] CloseHandle (hObject=0x20c) returned 1 [0089.002] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0089.002] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.003] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.003] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0089.003] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0089.003] GetLastError () returned 0x1f [0089.003] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0089.003] CloseHandle (hObject=0x20c) returned 1 [0089.085] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0089.086] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.086] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.086] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0089.086] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0089.086] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0089.087] CloseHandle (hObject=0x20c) returned 1 [0089.087] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0089.087] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.087] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.087] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0089.088] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0089.088] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0089.088] CloseHandle (hObject=0x20c) returned 1 [0089.088] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0089.089] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.089] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.089] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0089.089] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0089.089] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0089.089] CloseHandle (hObject=0x20c) returned 1 [0089.089] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0089.090] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.090] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0089.090] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0089.091] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.091] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.091] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0089.091] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.091] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.091] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.091] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0089.092] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.092] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.092] CloseHandle (hObject=0x20c) returned 1 [0089.092] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0089.093] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.093] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.093] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0089.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0089.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0089.093] CloseHandle (hObject=0x20c) returned 1 [0089.093] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0089.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.094] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.094] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0089.094] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0089.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.095] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.095] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0089.095] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0089.095] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0089.095] CloseHandle (hObject=0x20c) returned 1 [0089.095] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0089.096] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.096] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.096] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0089.096] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0089.096] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0089.097] CloseHandle (hObject=0x20c) returned 1 [0089.097] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0089.097] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0089.097] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0089.098] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0089.098] CloseHandle (hObject=0x20c) returned 1 [0089.098] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0089.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.099] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0089.099] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0089.100] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0089.100] CloseHandle (hObject=0x20c) returned 1 [0089.100] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0089.100] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.101] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.101] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0089.101] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0089.101] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0089.101] CloseHandle (hObject=0x20c) returned 1 [0089.101] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0089.102] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0089.102] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0089.102] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0089.102] CloseHandle (hObject=0x20c) returned 1 [0089.102] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0089.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.103] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0089.103] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0089.103] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0089.103] CloseHandle (hObject=0x20c) returned 1 [0089.103] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0089.104] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0089.104] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0089.104] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0089.105] CloseHandle (hObject=0x20c) returned 1 [0089.105] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0089.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0089.105] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0089.106] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0089.106] CloseHandle (hObject=0x20c) returned 1 [0089.106] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0089.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.107] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.107] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0089.107] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0089.107] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0089.107] CloseHandle (hObject=0x20c) returned 1 [0089.107] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0089.108] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.108] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.108] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0089.108] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0089.108] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0089.108] CloseHandle (hObject=0x20c) returned 1 [0089.108] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0089.109] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0089.109] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0089.109] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0089.109] CloseHandle (hObject=0x20c) returned 1 [0089.109] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0089.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.110] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.110] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0089.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0089.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0089.111] CloseHandle (hObject=0x20c) returned 1 [0089.111] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0089.111] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.112] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.112] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0089.112] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0089.112] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0089.112] CloseHandle (hObject=0x20c) returned 1 [0089.112] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0089.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0089.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0089.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0089.113] CloseHandle (hObject=0x20c) returned 1 [0089.113] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0089.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0089.196] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0089.196] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0089.196] CloseHandle (hObject=0x20c) returned 1 [0089.196] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0089.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0089.198] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0089.198] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0089.198] CloseHandle (hObject=0x20c) returned 1 [0089.198] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0089.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.200] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.200] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0089.200] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0089.200] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0089.201] CloseHandle (hObject=0x20c) returned 1 [0089.201] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0089.202] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0089.202] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0089.203] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0089.203] CloseHandle (hObject=0x20c) returned 1 [0089.203] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0089.204] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.204] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.204] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0089.204] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0089.205] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0089.205] CloseHandle (hObject=0x20c) returned 1 [0089.205] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0089.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.206] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.206] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0089.207] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0089.207] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0089.207] CloseHandle (hObject=0x20c) returned 1 [0089.207] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0089.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0089.209] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0089.210] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0089.210] CloseHandle (hObject=0x20c) returned 1 [0089.210] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0089.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0089.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0089.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0089.212] CloseHandle (hObject=0x20c) returned 1 [0089.212] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0089.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0089.214] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0089.214] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0089.214] CloseHandle (hObject=0x20c) returned 1 [0089.214] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0089.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0089.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0089.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0089.216] CloseHandle (hObject=0x20c) returned 1 [0089.216] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0089.218] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.218] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.218] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0089.218] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0089.218] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0089.218] CloseHandle (hObject=0x20c) returned 1 [0089.219] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0089.220] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.220] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.220] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0089.220] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0089.220] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0089.221] CloseHandle (hObject=0x20c) returned 1 [0089.221] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0089.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0089.222] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0089.222] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0089.223] CloseHandle (hObject=0x20c) returned 1 [0089.223] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0089.224] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.225] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.225] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0089.225] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0089.225] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0089.225] CloseHandle (hObject=0x20c) returned 1 [0089.225] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0089.227] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.227] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.227] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0089.227] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0089.227] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0089.227] CloseHandle (hObject=0x20c) returned 1 [0089.227] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0089.229] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.229] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.229] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0089.229] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0089.229] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0089.229] CloseHandle (hObject=0x20c) returned 1 [0089.230] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0089.231] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.231] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.231] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0089.231] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0089.231] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0089.232] CloseHandle (hObject=0x20c) returned 1 [0089.232] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0089.233] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.233] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.233] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0089.233] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0089.233] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0089.234] CloseHandle (hObject=0x20c) returned 1 [0089.234] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0089.273] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.273] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.274] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0089.274] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0089.274] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0089.274] CloseHandle (hObject=0x20c) returned 1 [0089.274] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0089.275] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.275] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.275] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0089.275] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0089.275] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0089.276] CloseHandle (hObject=0x20c) returned 1 [0089.276] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0089.277] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.277] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.277] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0089.277] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0089.277] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0089.277] CloseHandle (hObject=0x20c) returned 1 [0089.277] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0089.278] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.278] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.278] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0089.278] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0089.279] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0089.279] CloseHandle (hObject=0x20c) returned 1 [0089.279] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0089.280] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.280] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.280] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0089.280] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0089.280] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0089.280] CloseHandle (hObject=0x20c) returned 1 [0089.280] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0089.281] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.281] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.281] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0089.281] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0089.282] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0089.282] CloseHandle (hObject=0x20c) returned 1 [0089.282] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0089.283] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.283] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.283] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0089.283] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0089.283] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0089.283] CloseHandle (hObject=0x20c) returned 1 [0089.283] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0089.284] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.284] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.284] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0089.284] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0089.285] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0089.285] CloseHandle (hObject=0x20c) returned 1 [0089.285] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0089.286] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.286] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.286] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0089.286] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0089.287] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0089.287] CloseHandle (hObject=0x20c) returned 1 [0089.287] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0089.288] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.288] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.288] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0089.288] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0089.288] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0089.288] CloseHandle (hObject=0x20c) returned 1 [0089.288] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0089.289] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.289] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.289] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0089.289] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0089.290] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0089.290] CloseHandle (hObject=0x20c) returned 1 [0089.290] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0089.291] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.291] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.291] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0089.291] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0089.291] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0089.291] CloseHandle (hObject=0x20c) returned 1 [0089.291] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0089.292] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.292] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.292] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0089.292] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0089.293] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0089.293] CloseHandle (hObject=0x20c) returned 1 [0089.293] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0089.294] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.294] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.294] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0089.294] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0089.294] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0089.294] CloseHandle (hObject=0x20c) returned 1 [0089.294] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0089.295] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.295] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.295] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0089.295] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0089.295] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0089.296] CloseHandle (hObject=0x20c) returned 1 [0089.296] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0089.297] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.297] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.297] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0089.297] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0089.297] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0089.297] CloseHandle (hObject=0x20c) returned 1 [0089.297] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0089.298] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.298] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.298] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0089.298] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0089.298] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0089.299] CloseHandle (hObject=0x20c) returned 1 [0089.299] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0089.300] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.300] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.300] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0089.300] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0089.300] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0089.300] CloseHandle (hObject=0x20c) returned 1 [0089.300] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0089.301] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.301] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.301] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0089.301] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0089.301] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0089.302] CloseHandle (hObject=0x20c) returned 1 [0089.302] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0089.303] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.303] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.303] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0089.303] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0089.303] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0089.303] CloseHandle (hObject=0x20c) returned 1 [0089.303] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0089.304] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.304] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.304] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0089.304] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0089.304] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0089.305] CloseHandle (hObject=0x20c) returned 1 [0089.305] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0089.305] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.306] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.306] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0089.306] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0089.306] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0089.306] CloseHandle (hObject=0x20c) returned 1 [0089.306] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0089.307] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.307] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.307] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0089.307] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0089.307] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0089.307] CloseHandle (hObject=0x20c) returned 1 [0089.307] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0089.308] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.308] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.308] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0089.308] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0089.309] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0089.309] CloseHandle (hObject=0x20c) returned 1 [0089.309] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0089.310] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.310] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.310] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0089.310] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0089.310] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0089.310] CloseHandle (hObject=0x20c) returned 1 [0089.310] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0089.311] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.311] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.311] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0089.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0089.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0089.312] CloseHandle (hObject=0x20c) returned 1 [0089.312] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0089.359] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.359] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.359] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0089.359] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0089.360] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0089.360] CloseHandle (hObject=0x20c) returned 1 [0089.360] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0089.361] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.361] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.361] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0089.361] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0089.361] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0089.362] CloseHandle (hObject=0x20c) returned 1 [0089.362] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0089.363] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.363] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.363] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0089.363] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0089.363] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0089.364] CloseHandle (hObject=0x20c) returned 1 [0089.364] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0089.365] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.365] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.365] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0089.365] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0089.365] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0089.366] CloseHandle (hObject=0x20c) returned 1 [0089.366] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0089.367] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.367] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.367] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0089.367] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0089.367] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0089.367] CloseHandle (hObject=0x20c) returned 1 [0089.367] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0089.369] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.369] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.369] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0089.369] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0089.369] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0089.369] CloseHandle (hObject=0x20c) returned 1 [0089.369] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0089.370] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.371] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.371] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0089.371] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0089.371] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0089.371] CloseHandle (hObject=0x20c) returned 1 [0089.371] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0089.372] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.372] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.372] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0089.372] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0089.373] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0089.373] CloseHandle (hObject=0x20c) returned 1 [0089.373] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0089.374] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.374] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.374] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0089.374] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0089.375] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0089.375] CloseHandle (hObject=0x20c) returned 1 [0089.375] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0089.376] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.376] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.376] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0089.376] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0089.376] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0089.377] CloseHandle (hObject=0x20c) returned 1 [0089.377] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0089.378] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.378] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.378] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0089.378] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0089.378] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0089.378] CloseHandle (hObject=0x20c) returned 1 [0089.378] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0089.379] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.379] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.379] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0089.379] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0089.397] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0089.397] CloseHandle (hObject=0x20c) returned 1 [0089.397] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0089.398] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.398] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.398] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0089.398] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0089.399] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0089.399] CloseHandle (hObject=0x20c) returned 1 [0089.399] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0089.400] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.400] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.400] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0089.400] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0089.400] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0089.401] CloseHandle (hObject=0x20c) returned 1 [0089.401] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0089.402] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.402] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.402] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0089.402] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0089.402] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0089.402] CloseHandle (hObject=0x20c) returned 1 [0089.403] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0089.403] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.404] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.404] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0089.404] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0089.404] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0089.404] CloseHandle (hObject=0x20c) returned 1 [0089.404] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0089.405] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.405] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.405] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0089.405] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0089.406] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0089.406] CloseHandle (hObject=0x20c) returned 1 [0089.406] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0089.407] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.407] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.407] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0089.407] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0089.407] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0089.408] CloseHandle (hObject=0x20c) returned 1 [0089.408] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0089.408] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.409] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.409] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0089.409] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0089.409] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0089.409] CloseHandle (hObject=0x20c) returned 1 [0089.409] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0089.410] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.410] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.410] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0089.410] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0089.411] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0089.411] CloseHandle (hObject=0x20c) returned 1 [0089.504] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0089.504] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.505] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.505] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0089.505] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0089.505] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0089.505] CloseHandle (hObject=0x20c) returned 1 [0089.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad.exestrationVerifier.exexe", lpUsedDefaultChar=0x0) returned 11 [0089.508] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exead.exestrationVerifier.exexe", lpUsedDefaultChar=0x0) returned 9 [0089.508] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0089.509] CloseHandle (hObject=0x208) returned 1 [0089.509] Sleep (dwMilliseconds=0x1) [0089.554] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0089.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e49798, cbMultiByte=11, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="anvir64.exeisqlplussvc.exe") returned 11 [0089.556] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exe?", lpUsedDefaultChar=0x0) returned 11 [0089.556] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0089.557] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe64.exe?", lpUsedDefaultChar=0x0) returned 9 [0089.557] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0089.570] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0089.571] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.571] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.571] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0089.572] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exe", lpUsedDefaultChar=0x0) returned 11 [0089.572] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0089.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0089.573] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0089.573] GetLastError () returned 0x1f [0089.573] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0089.573] CloseHandle (hObject=0x20c) returned 1 [0089.579] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0089.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0089.580] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0089.580] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0089.581] CloseHandle (hObject=0x20c) returned 1 [0089.581] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0089.582] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.582] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.582] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0089.582] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0089.583] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.583] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.641] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0089.641] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0089.641] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0089.641] CloseHandle (hObject=0x20c) returned 1 [0089.641] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0089.642] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.642] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.642] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0089.642] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0089.643] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.643] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.643] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0089.644] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0089.644] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0089.644] CloseHandle (hObject=0x20c) returned 1 [0089.644] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0089.645] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.645] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.645] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0089.645] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0089.646] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0089.646] CloseHandle (hObject=0x20c) returned 1 [0089.648] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exeard.exe", lpUsedDefaultChar=0x0) returned 12 [0089.649] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exes.exeard.exe", lpUsedDefaultChar=0x0) returned 11 [0089.649] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0089.650] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.650] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.650] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0089.651] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0089.651] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0089.651] CloseHandle (hObject=0x20c) returned 1 [0089.652] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exeexeard.exe", lpUsedDefaultChar=0x0) returned 9 [0089.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exexeexeard.exe", lpUsedDefaultChar=0x0) returned 11 [0089.654] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.655] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.655] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.655] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0089.655] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.655] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.656] CloseHandle (hObject=0x20c) returned 1 [0089.657] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exeeard.exe", lpUsedDefaultChar=0x0) returned 11 [0089.658] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exe.exeeard.exe", lpUsedDefaultChar=0x0) returned 11 [0089.658] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0089.659] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.659] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.659] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0089.661] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exeeard.exe", lpUsedDefaultChar=0x0) returned 11 [0089.662] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exe.exeeard.exe", lpUsedDefaultChar=0x0) returned 11 [0089.662] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0089.663] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.664] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.664] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0089.665] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exeeard.exe", lpUsedDefaultChar=0x0) returned 11 [0089.667] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exe.exeeard.exe", lpUsedDefaultChar=0x0) returned 11 [0089.667] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0089.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.668] CloseHandle (hObject=0x20c) returned 1 [0089.669] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0089.670] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.670] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.670] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0089.670] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.671] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.671] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0089.671] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.672] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.672] CloseHandle (hObject=0x20c) returned 1 [0089.672] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.673] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.673] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0089.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.674] CloseHandle (hObject=0x20c) returned 1 [0089.674] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.675] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.675] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.675] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0089.675] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.675] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.676] CloseHandle (hObject=0x20c) returned 1 [0089.676] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.676] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.727] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.728] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0089.728] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.728] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.728] CloseHandle (hObject=0x20c) returned 1 [0089.728] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.729] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.729] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.730] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0089.730] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.730] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.730] CloseHandle (hObject=0x20c) returned 1 [0089.730] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.731] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.731] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.731] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0089.731] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.732] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.732] CloseHandle (hObject=0x20c) returned 1 [0089.732] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.733] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.733] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.733] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0089.733] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.733] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.733] CloseHandle (hObject=0x20c) returned 1 [0089.733] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.734] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.734] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.734] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0089.734] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.735] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.735] CloseHandle (hObject=0x20c) returned 1 [0089.735] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.736] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.736] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.736] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0089.736] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.736] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.737] CloseHandle (hObject=0x20c) returned 1 [0089.737] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.738] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.738] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.738] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0089.738] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.738] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.738] CloseHandle (hObject=0x20c) returned 1 [0089.738] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.740] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.740] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.740] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0089.740] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.741] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.741] CloseHandle (hObject=0x20c) returned 1 [0089.741] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0089.742] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.742] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.742] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0089.742] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0089.742] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0089.743] CloseHandle (hObject=0x20c) returned 1 [0089.743] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0089.743] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.744] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.744] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0089.744] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0089.744] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0089.744] CloseHandle (hObject=0x20c) returned 1 [0089.744] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0089.745] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.745] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.745] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0089.745] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0089.746] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0089.746] CloseHandle (hObject=0x20c) returned 1 [0089.746] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.747] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.747] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.747] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0089.747] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.747] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.748] CloseHandle (hObject=0x20c) returned 1 [0089.748] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0089.748] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.749] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.749] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0089.749] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0089.749] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0089.749] CloseHandle (hObject=0x20c) returned 1 [0089.749] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0089.750] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.750] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.750] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0089.750] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0089.751] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0089.751] CloseHandle (hObject=0x20c) returned 1 [0089.751] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0089.752] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.752] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.752] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0089.752] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0089.752] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0089.752] CloseHandle (hObject=0x20c) returned 1 [0089.753] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0089.753] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.753] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.753] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0089.754] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0089.754] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0089.754] CloseHandle (hObject=0x20c) returned 1 [0089.754] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0089.755] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.756] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.756] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0089.756] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0089.756] GetLastError () returned 0x1f [0089.756] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0089.756] CloseHandle (hObject=0x20c) returned 1 [0089.828] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0089.829] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.829] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.829] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0089.829] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0089.829] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0089.829] CloseHandle (hObject=0x20c) returned 1 [0089.831] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SearchUI.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SearchUI.exeoRun.exe", lpUsedDefaultChar=0x0) returned 12 [0089.832] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeI.exeoRun.exe", lpUsedDefaultChar=0x0) returned 11 [0089.832] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0089.833] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.872] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.872] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0089.872] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0089.872] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0089.872] CloseHandle (hObject=0x20c) returned 1 [0089.875] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExperienceHost.exe", cchWideChar=23, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShellExperienceHost.exe", lpUsedDefaultChar=0x0) returned 23 [0089.876] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeperienceHost.exe", lpUsedDefaultChar=0x0) returned 11 [0089.876] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0089.877] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.877] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.877] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0089.877] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0089.877] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0089.878] CloseHandle (hObject=0x20c) returned 1 [0089.880] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="RuntimeBroker.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RuntimeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 17 [0089.881] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 11 [0089.881] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0089.882] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.882] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.883] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0089.885] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="RuntimeBroker.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RuntimeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 17 [0089.886] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 11 [0089.886] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0089.886] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.886] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.887] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0089.887] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0089.888] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.888] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.888] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0089.888] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.889] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0089.889] CloseHandle (hObject=0x20c) returned 1 [0089.889] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0089.890] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.890] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.890] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0089.890] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0089.890] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0089.891] CloseHandle (hObject=0x20c) returned 1 [0089.891] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0089.891] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.892] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.892] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0089.892] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0089.892] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.893] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.893] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0089.893] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0089.893] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0089.893] CloseHandle (hObject=0x20c) returned 1 [0089.893] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0089.894] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.894] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.894] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0089.894] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0089.894] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0089.894] CloseHandle (hObject=0x20c) returned 1 [0089.894] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0089.895] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.895] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.895] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0089.895] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0089.896] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0089.896] CloseHandle (hObject=0x20c) returned 1 [0089.896] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0089.897] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.897] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.897] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0089.897] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0089.897] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0089.897] CloseHandle (hObject=0x20c) returned 1 [0089.898] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0089.946] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.946] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.946] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0089.946] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0089.947] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0089.947] CloseHandle (hObject=0x20c) returned 1 [0089.947] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0089.948] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.948] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.948] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0089.948] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0089.948] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0089.949] CloseHandle (hObject=0x20c) returned 1 [0089.949] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0089.949] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.950] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.950] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0089.950] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0089.950] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0089.950] CloseHandle (hObject=0x20c) returned 1 [0089.950] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0089.951] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.951] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.951] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0089.951] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0089.952] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0089.952] CloseHandle (hObject=0x20c) returned 1 [0089.952] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0089.953] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.953] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.953] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0089.953] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0089.953] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0089.954] CloseHandle (hObject=0x20c) returned 1 [0089.954] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0089.954] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.955] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.955] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0089.955] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0089.955] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0089.955] CloseHandle (hObject=0x20c) returned 1 [0089.955] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0089.956] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.956] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.956] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0089.956] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0089.957] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0089.957] CloseHandle (hObject=0x20c) returned 1 [0089.957] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0089.958] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.958] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.958] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0089.958] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0089.959] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0089.959] CloseHandle (hObject=0x20c) returned 1 [0089.959] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0089.960] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.960] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.960] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0089.960] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0089.960] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0089.961] CloseHandle (hObject=0x20c) returned 1 [0089.961] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0089.961] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.962] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.962] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0089.962] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0089.962] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0089.962] CloseHandle (hObject=0x20c) returned 1 [0089.962] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0089.963] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.963] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.963] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0089.963] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0089.964] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0089.964] CloseHandle (hObject=0x20c) returned 1 [0089.964] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0089.965] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.965] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.965] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0089.965] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0089.965] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0089.965] CloseHandle (hObject=0x20c) returned 1 [0089.966] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0089.967] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.967] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.967] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0089.967] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0089.967] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0089.967] CloseHandle (hObject=0x20c) returned 1 [0089.967] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0089.969] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.969] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.969] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0089.969] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0089.969] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0089.970] CloseHandle (hObject=0x20c) returned 1 [0089.970] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0089.971] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.971] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.971] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0089.972] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0089.972] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0089.972] CloseHandle (hObject=0x20c) returned 1 [0089.972] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0089.975] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.975] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.975] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0089.975] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0089.976] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0089.976] CloseHandle (hObject=0x20c) returned 1 [0089.976] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0089.978] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.978] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.978] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0089.978] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0089.978] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0089.979] CloseHandle (hObject=0x20c) returned 1 [0089.979] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0089.980] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.980] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.980] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0089.980] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0089.980] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0089.981] CloseHandle (hObject=0x20c) returned 1 [0089.981] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0089.982] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.982] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.982] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0089.982] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0089.983] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0089.983] CloseHandle (hObject=0x20c) returned 1 [0089.983] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0089.984] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.984] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.984] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0089.985] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0089.985] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0089.985] CloseHandle (hObject=0x20c) returned 1 [0089.985] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0089.986] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.987] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.987] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0089.987] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0089.987] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0089.987] CloseHandle (hObject=0x20c) returned 1 [0089.987] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0089.989] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0089.989] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0089.989] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0089.989] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0090.042] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0090.042] CloseHandle (hObject=0x20c) returned 1 [0090.042] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0090.043] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.043] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.043] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0090.043] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0090.043] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0090.044] CloseHandle (hObject=0x20c) returned 1 [0090.044] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0090.045] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.045] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.045] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0090.045] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0090.045] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0090.045] CloseHandle (hObject=0x20c) returned 1 [0090.045] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0090.046] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.046] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.046] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0090.046] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0090.047] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0090.047] CloseHandle (hObject=0x20c) returned 1 [0090.047] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0090.048] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.048] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.048] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0090.048] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0090.048] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0090.049] CloseHandle (hObject=0x20c) returned 1 [0090.049] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0090.050] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.050] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.050] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0090.050] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0090.050] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0090.050] CloseHandle (hObject=0x20c) returned 1 [0090.050] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0090.051] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.052] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.052] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0090.052] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0090.052] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0090.052] CloseHandle (hObject=0x20c) returned 1 [0090.052] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0090.053] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.053] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.053] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0090.053] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0090.054] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0090.054] CloseHandle (hObject=0x20c) returned 1 [0090.054] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0090.055] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.055] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.055] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0090.055] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0090.055] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0090.055] CloseHandle (hObject=0x20c) returned 1 [0090.055] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0090.056] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.057] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.057] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0090.057] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0090.057] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0090.057] CloseHandle (hObject=0x20c) returned 1 [0090.057] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0090.058] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.058] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.058] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0090.058] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0090.059] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0090.059] CloseHandle (hObject=0x20c) returned 1 [0090.059] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0090.060] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.060] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.060] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0090.060] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0090.061] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0090.061] CloseHandle (hObject=0x20c) returned 1 [0090.061] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0090.062] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.062] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.062] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0090.062] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0090.063] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0090.063] CloseHandle (hObject=0x20c) returned 1 [0090.063] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0090.064] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.064] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.064] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0090.064] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0090.065] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0090.065] CloseHandle (hObject=0x20c) returned 1 [0090.065] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0090.066] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.066] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.066] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0090.066] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0090.066] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0090.067] CloseHandle (hObject=0x20c) returned 1 [0090.067] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0090.068] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.068] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.068] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0090.068] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0090.068] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0090.069] CloseHandle (hObject=0x20c) returned 1 [0090.069] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0090.070] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.070] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.070] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0090.070] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0090.070] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0090.070] CloseHandle (hObject=0x20c) returned 1 [0090.070] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0090.071] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.071] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.071] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0090.071] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0090.072] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0090.072] CloseHandle (hObject=0x20c) returned 1 [0090.072] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0090.073] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.073] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.073] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0090.073] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0090.073] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0090.073] CloseHandle (hObject=0x20c) returned 1 [0090.073] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0090.074] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.075] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.075] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0090.075] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0090.075] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0090.075] CloseHandle (hObject=0x20c) returned 1 [0090.075] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0090.076] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.076] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.076] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0090.076] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0090.076] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0090.077] CloseHandle (hObject=0x20c) returned 1 [0090.077] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0090.078] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.078] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.078] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0090.078] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0090.078] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0090.078] CloseHandle (hObject=0x20c) returned 1 [0090.078] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0090.140] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.141] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.141] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0090.141] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0090.141] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0090.141] CloseHandle (hObject=0x20c) returned 1 [0090.141] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0090.142] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.143] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.143] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0090.143] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0090.143] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0090.143] CloseHandle (hObject=0x20c) returned 1 [0090.143] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0090.144] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.144] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.145] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0090.145] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0090.145] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0090.145] CloseHandle (hObject=0x20c) returned 1 [0090.145] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0090.147] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.147] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.147] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0090.147] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0090.147] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0090.147] CloseHandle (hObject=0x20c) returned 1 [0090.147] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0090.148] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.149] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.149] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0090.149] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0090.149] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0090.149] CloseHandle (hObject=0x20c) returned 1 [0090.149] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0090.150] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.151] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.151] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0090.151] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0090.151] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0090.151] CloseHandle (hObject=0x20c) returned 1 [0090.151] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0090.153] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.153] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.153] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0090.153] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0090.153] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0090.153] CloseHandle (hObject=0x20c) returned 1 [0090.153] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0090.154] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.155] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.155] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0090.155] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0090.155] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0090.155] CloseHandle (hObject=0x20c) returned 1 [0090.155] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0090.156] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.157] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.157] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0090.157] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0090.157] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0090.157] CloseHandle (hObject=0x20c) returned 1 [0090.157] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0090.158] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.158] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.158] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0090.159] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0090.159] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0090.159] CloseHandle (hObject=0x20c) returned 1 [0090.159] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0090.160] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.160] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.160] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0090.160] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0090.161] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0090.161] CloseHandle (hObject=0x20c) returned 1 [0090.162] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fpos.exe", cchWideChar=8, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fpos.exexeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 8 [0090.163] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeexeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0090.163] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0090.164] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.164] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.164] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0090.164] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0090.164] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0090.164] CloseHandle (hObject=0x20c) returned 1 [0090.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isspos.exe", cchWideChar=10, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isspos.exeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0090.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeexeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0090.167] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0090.168] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.168] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.168] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0090.168] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0090.168] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0090.168] CloseHandle (hObject=0x20c) returned 1 [0090.170] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mxslipstream.exe", cchWideChar=16, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mxslipstream.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 16 [0090.171] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exetream.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0090.171] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0090.172] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.172] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.172] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0090.172] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0090.172] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0090.172] CloseHandle (hObject=0x20c) returned 1 [0090.173] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="omnipos.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="omnipos.exem.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0090.174] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exe.exem.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0090.174] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0090.175] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.175] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.175] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0090.175] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0090.176] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0090.176] CloseHandle (hObject=0x20c) returned 1 [0090.227] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spcwin.exe", cchWideChar=10, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spcwin.exeem.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0090.228] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeexeem.exee.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0090.228] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0090.229] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.230] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.230] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0090.230] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0090.230] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0090.231] CloseHandle (hObject=0x20c) returned 1 [0090.231] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0090.232] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.232] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.232] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0090.232] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0090.232] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0090.232] CloseHandle (hObject=0x20c) returned 1 [0090.233] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0090.234] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.234] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.234] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0090.234] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0090.235] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0090.235] CloseHandle (hObject=0x20c) returned 1 [0090.235] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0090.236] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.236] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.236] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0090.236] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0090.236] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0090.236] CloseHandle (hObject=0x20c) returned 1 [0090.236] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0090.237] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.237] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.237] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0090.237] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0090.238] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0090.238] CloseHandle (hObject=0x20c) returned 1 [0090.238] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0090.239] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.239] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.239] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0090.239] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0090.239] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0090.240] CloseHandle (hObject=0x20c) returned 1 [0090.240] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0090.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.241] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.241] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0090.241] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0090.241] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0090.241] CloseHandle (hObject=0x20c) returned 1 [0090.241] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0090.242] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.242] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.242] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0090.242] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0090.242] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0090.242] CloseHandle (hObject=0x20c) returned 1 [0090.242] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0090.243] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.243] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.243] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0090.243] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0090.243] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0090.244] CloseHandle (hObject=0x20c) returned 1 [0090.244] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0090.244] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.244] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.244] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0090.245] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0090.245] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0090.245] CloseHandle (hObject=0x20c) returned 1 [0090.245] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0090.246] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.246] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0090.246] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0090.246] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0090.246] CloseHandle (hObject=0x20c) returned 1 [0090.247] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0090.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.247] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.247] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0090.247] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0090.248] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0090.248] CloseHandle (hObject=0x20c) returned 1 [0090.248] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0090.249] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.249] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.249] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0090.249] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0090.249] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0090.250] CloseHandle (hObject=0x20c) returned 1 [0090.250] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0090.250] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.250] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.250] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0090.250] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0090.251] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0090.251] CloseHandle (hObject=0x20c) returned 1 [0090.251] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0090.252] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.252] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.252] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0090.252] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0090.252] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0090.252] CloseHandle (hObject=0x20c) returned 1 [0090.252] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0090.253] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.253] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.253] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0090.253] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0090.253] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0090.254] CloseHandle (hObject=0x20c) returned 1 [0090.254] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.254] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.254] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.254] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0090.254] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0090.255] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0090.255] CloseHandle (hObject=0x20c) returned 1 [0090.255] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0090.256] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.256] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.256] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0090.256] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0090.256] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0090.257] CloseHandle (hObject=0x20c) returned 1 [0090.257] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0090.257] CloseHandle (hObject=0x208) returned 1 [0090.258] Sleep (dwMilliseconds=0x1) [0090.310] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0090.310] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e49750, cbMultiByte=10, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="apache.exeeisqlplussvc.exe") returned 10 [0090.311] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exe??", lpUsedDefaultChar=0x0) returned 10 [0090.311] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0090.312] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exee.exe??", lpUsedDefaultChar=0x0) returned 9 [0090.312] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0090.428] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0090.429] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.429] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.429] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0090.430] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exe", lpUsedDefaultChar=0x0) returned 10 [0090.430] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0090.431] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.431] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.431] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0090.431] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0090.431] GetLastError () returned 0x1f [0090.432] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0090.432] CloseHandle (hObject=0x20c) returned 1 [0090.442] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0090.444] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.444] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.444] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0090.444] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0090.445] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0090.445] CloseHandle (hObject=0x20c) returned 1 [0090.445] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.446] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.446] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.446] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0090.446] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0090.447] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.447] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.447] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0090.447] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0090.447] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0090.448] CloseHandle (hObject=0x20c) returned 1 [0090.448] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.449] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.449] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.449] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0090.449] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0090.450] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.450] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0090.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0090.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0090.450] CloseHandle (hObject=0x20c) returned 1 [0090.450] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0090.451] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.451] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.451] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0090.451] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0090.452] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0090.452] CloseHandle (hObject=0x20c) returned 1 [0090.452] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0090.453] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.453] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.453] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0090.453] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0090.453] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0090.453] CloseHandle (hObject=0x20c) returned 1 [0090.454] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.454] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.454] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.454] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0090.455] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.455] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.455] CloseHandle (hObject=0x20c) returned 1 [0090.455] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0090.456] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.456] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.456] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0090.456] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0090.457] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.457] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.457] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0090.457] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.458] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.495] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.495] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0090.495] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.495] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.495] CloseHandle (hObject=0x20c) returned 1 [0090.495] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0090.496] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.496] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.496] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0090.497] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.497] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.498] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.498] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0090.498] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.498] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.498] CloseHandle (hObject=0x20c) returned 1 [0090.498] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.499] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.499] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.499] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0090.499] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.499] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.500] CloseHandle (hObject=0x20c) returned 1 [0090.500] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.500] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.501] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.501] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0090.501] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.501] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.501] CloseHandle (hObject=0x20c) returned 1 [0090.501] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.502] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.502] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.502] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0090.502] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.503] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.503] CloseHandle (hObject=0x20c) returned 1 [0090.503] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.504] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.504] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.504] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0090.504] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.504] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.504] CloseHandle (hObject=0x20c) returned 1 [0090.504] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.505] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.505] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.505] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0090.505] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.506] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.506] CloseHandle (hObject=0x20c) returned 1 [0090.506] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.507] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.507] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.507] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0090.507] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.507] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.507] CloseHandle (hObject=0x20c) returned 1 [0090.508] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.508] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.508] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.508] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0090.508] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.509] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.509] CloseHandle (hObject=0x20c) returned 1 [0090.509] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.510] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.510] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.510] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0090.510] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.510] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.511] CloseHandle (hObject=0x20c) returned 1 [0090.511] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.512] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.512] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.512] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0090.512] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.513] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.513] CloseHandle (hObject=0x20c) returned 1 [0090.513] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.514] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.514] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.514] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0090.514] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.514] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.514] CloseHandle (hObject=0x20c) returned 1 [0090.514] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0090.515] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.515] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.515] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0090.515] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0090.516] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0090.516] CloseHandle (hObject=0x20c) returned 1 [0090.516] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0090.517] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.517] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.517] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0090.517] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0090.517] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0090.517] CloseHandle (hObject=0x20c) returned 1 [0090.517] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0090.518] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.518] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.518] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0090.518] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0090.519] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0090.519] CloseHandle (hObject=0x20c) returned 1 [0090.519] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.520] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.520] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.520] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0090.520] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.520] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.521] CloseHandle (hObject=0x20c) returned 1 [0090.521] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0090.522] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.522] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.522] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0090.522] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0090.522] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0090.522] CloseHandle (hObject=0x20c) returned 1 [0090.522] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0090.523] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.523] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.523] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0090.523] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0090.524] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0090.524] CloseHandle (hObject=0x20c) returned 1 [0090.524] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0090.525] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.525] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.525] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0090.525] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0090.525] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0090.525] CloseHandle (hObject=0x20c) returned 1 [0090.525] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0090.579] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0090.580] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0090.580] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0090.580] CloseHandle (hObject=0x20c) returned 1 [0090.580] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0090.581] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.581] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.581] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0090.581] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0090.582] GetLastError () returned 0x1f [0090.582] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0090.582] CloseHandle (hObject=0x20c) returned 1 [0090.596] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0090.597] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.597] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.597] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0090.597] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0090.598] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0090.598] CloseHandle (hObject=0x20c) returned 1 [0090.598] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0090.599] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.599] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.599] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0090.599] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0090.600] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0090.600] CloseHandle (hObject=0x20c) returned 1 [0090.600] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0090.601] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0090.601] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0090.601] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0090.601] CloseHandle (hObject=0x20c) returned 1 [0090.602] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.602] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.602] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.603] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0090.603] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.604] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.604] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.604] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0090.604] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.605] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.605] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.605] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0090.605] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.605] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0090.605] CloseHandle (hObject=0x20c) returned 1 [0090.605] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0090.606] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.606] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.606] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0090.606] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0090.607] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0090.607] CloseHandle (hObject=0x20c) returned 1 [0090.607] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0090.608] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.608] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.608] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0090.608] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0090.609] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.609] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.609] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0090.609] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0090.609] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0090.609] CloseHandle (hObject=0x20c) returned 1 [0090.609] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0090.610] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.610] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.610] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0090.610] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0090.611] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0090.611] CloseHandle (hObject=0x20c) returned 1 [0090.611] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0090.612] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.612] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.612] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0090.612] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0090.612] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0090.612] CloseHandle (hObject=0x20c) returned 1 [0090.612] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0090.613] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.613] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.613] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0090.613] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0090.614] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0090.614] CloseHandle (hObject=0x20c) returned 1 [0090.665] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0090.666] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.666] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.666] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0090.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0090.667] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0090.667] CloseHandle (hObject=0x20c) returned 1 [0090.667] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0090.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0090.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0090.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0090.668] CloseHandle (hObject=0x20c) returned 1 [0090.668] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0090.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.669] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.669] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0090.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0090.670] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0090.670] CloseHandle (hObject=0x20c) returned 1 [0090.670] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0090.671] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.671] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0090.671] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0090.671] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0090.672] CloseHandle (hObject=0x20c) returned 1 [0090.672] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0090.672] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.673] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.673] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0090.673] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0090.673] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0090.673] CloseHandle (hObject=0x20c) returned 1 [0090.673] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0090.674] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0090.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0090.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0090.675] CloseHandle (hObject=0x20c) returned 1 [0090.675] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0090.675] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.676] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.676] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0090.676] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0090.676] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0090.676] CloseHandle (hObject=0x20c) returned 1 [0090.676] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0090.677] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.677] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.677] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0090.677] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0090.678] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0090.678] CloseHandle (hObject=0x20c) returned 1 [0090.678] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0090.679] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.679] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.679] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0090.679] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0090.679] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0090.680] CloseHandle (hObject=0x20c) returned 1 [0090.680] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0090.681] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.681] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.681] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0090.681] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0090.681] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0090.681] CloseHandle (hObject=0x20c) returned 1 [0090.681] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0090.682] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.682] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.682] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0090.682] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0090.683] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0090.683] CloseHandle (hObject=0x20c) returned 1 [0090.683] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0090.684] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.684] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.684] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0090.684] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0090.684] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0090.684] CloseHandle (hObject=0x20c) returned 1 [0090.685] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0090.686] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.686] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.686] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0090.686] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0090.686] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0090.686] CloseHandle (hObject=0x20c) returned 1 [0090.687] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0090.688] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.688] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.688] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0090.688] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0090.688] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0090.689] CloseHandle (hObject=0x20c) returned 1 [0090.689] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0090.690] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.690] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.690] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0090.690] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0090.690] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0090.691] CloseHandle (hObject=0x20c) returned 1 [0090.691] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0090.692] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.692] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.692] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0090.693] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0090.693] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0090.693] CloseHandle (hObject=0x20c) returned 1 [0090.693] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0090.694] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.694] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.695] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0090.695] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0090.695] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0090.695] CloseHandle (hObject=0x20c) returned 1 [0090.695] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0090.697] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.697] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.697] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0090.697] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0090.697] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0090.697] CloseHandle (hObject=0x20c) returned 1 [0090.697] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0090.699] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.699] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.699] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0090.699] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0090.699] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0090.699] CloseHandle (hObject=0x20c) returned 1 [0090.699] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0090.701] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.701] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.701] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0090.701] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0090.701] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0090.701] CloseHandle (hObject=0x20c) returned 1 [0090.701] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0090.703] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.703] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.703] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0090.703] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0090.703] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0090.703] CloseHandle (hObject=0x20c) returned 1 [0090.704] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0090.705] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.705] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.705] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0090.705] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0090.705] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0090.705] CloseHandle (hObject=0x20c) returned 1 [0090.706] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0090.707] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.707] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.707] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0090.707] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0090.707] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0090.708] CloseHandle (hObject=0x20c) returned 1 [0090.708] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0090.759] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.759] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.759] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0090.759] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0090.760] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0090.760] CloseHandle (hObject=0x20c) returned 1 [0090.760] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0090.761] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0090.762] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0090.762] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0090.762] CloseHandle (hObject=0x20c) returned 1 [0090.762] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0090.763] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.763] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.763] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0090.764] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0090.764] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0090.764] CloseHandle (hObject=0x20c) returned 1 [0090.764] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0090.766] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.766] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.766] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0090.766] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0090.766] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0090.766] CloseHandle (hObject=0x20c) returned 1 [0090.766] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0090.768] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.768] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.768] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0090.768] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0090.768] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0090.768] CloseHandle (hObject=0x20c) returned 1 [0090.768] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0090.770] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.770] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.770] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0090.770] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0090.770] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0090.770] CloseHandle (hObject=0x20c) returned 1 [0090.771] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0090.772] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.772] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.772] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0090.772] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0090.772] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0090.772] CloseHandle (hObject=0x20c) returned 1 [0090.773] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0090.774] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.774] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.774] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0090.774] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0090.775] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0090.775] CloseHandle (hObject=0x20c) returned 1 [0090.775] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0090.776] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.776] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.776] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0090.776] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0090.777] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0090.777] CloseHandle (hObject=0x20c) returned 1 [0090.777] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0090.778] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.778] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.778] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0090.778] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0090.779] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0090.779] CloseHandle (hObject=0x20c) returned 1 [0090.779] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0090.780] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.780] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.780] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0090.780] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0090.781] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0090.781] CloseHandle (hObject=0x20c) returned 1 [0090.781] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0090.782] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.782] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.782] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0090.782] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0090.783] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0090.783] CloseHandle (hObject=0x20c) returned 1 [0090.783] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0090.788] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.788] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.788] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0090.788] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0090.789] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0090.789] CloseHandle (hObject=0x20c) returned 1 [0090.789] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0090.790] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.790] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.790] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0090.790] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0090.791] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0090.791] CloseHandle (hObject=0x20c) returned 1 [0090.791] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0090.792] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.792] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.792] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0090.792] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0090.792] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0090.793] CloseHandle (hObject=0x20c) returned 1 [0090.793] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0090.794] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.794] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.794] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0090.794] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0090.794] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0090.795] CloseHandle (hObject=0x20c) returned 1 [0090.795] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0090.796] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.796] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.796] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0090.796] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0090.796] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0090.797] CloseHandle (hObject=0x20c) returned 1 [0090.797] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0090.798] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.798] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.798] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0090.798] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0090.798] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0090.798] CloseHandle (hObject=0x20c) returned 1 [0090.799] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0090.800] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.800] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.800] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0090.800] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0090.800] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0090.800] CloseHandle (hObject=0x20c) returned 1 [0090.800] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0090.802] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.904] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.904] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0090.904] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0090.905] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0090.905] CloseHandle (hObject=0x20c) returned 1 [0090.905] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0090.906] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.906] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.906] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0090.906] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0090.907] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0090.907] CloseHandle (hObject=0x20c) returned 1 [0090.907] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0090.908] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.908] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.908] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0090.908] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0090.908] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0090.909] CloseHandle (hObject=0x20c) returned 1 [0090.909] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0090.910] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.910] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.910] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0090.910] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0090.910] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0090.911] CloseHandle (hObject=0x20c) returned 1 [0090.911] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0090.917] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.917] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.917] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0090.917] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0090.918] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0090.918] CloseHandle (hObject=0x20c) returned 1 [0090.918] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0090.919] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.919] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.919] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0090.919] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0090.919] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0090.920] CloseHandle (hObject=0x20c) returned 1 [0090.920] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0090.921] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.921] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.921] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0090.921] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0090.921] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0090.922] CloseHandle (hObject=0x20c) returned 1 [0090.922] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0090.923] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.923] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0090.923] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0090.923] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0090.923] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0090.924] CloseHandle (hObject=0x20c) returned 1 [0090.924] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0090.929] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0090.929] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0091.012] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0091.013] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0091.013] CloseHandle (hObject=0x20c) returned 1 [0091.016] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="centralcreditcard.exe", cchWideChar=21, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="centralcreditcard.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 21 [0091.018] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exelcreditcard.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.018] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0091.019] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.019] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.019] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0091.019] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0091.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0091.020] CloseHandle (hObject=0x20c) returned 1 [0091.023] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="creditservice.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="creditservice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 17 [0091.024] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exeservice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.024] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0091.025] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.025] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.025] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0091.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0091.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0091.026] CloseHandle (hObject=0x20c) returned 1 [0091.028] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="edcsvr.exe", cchWideChar=10, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="edcsvr.exeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.029] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exe.exeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.029] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0091.030] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.030] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.030] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0091.030] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0091.031] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0091.031] CloseHandle (hObject=0x20c) returned 1 [0091.032] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fpos.exe", cchWideChar=8, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fpos.exexeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 8 [0091.033] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exexexeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.033] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0091.034] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.035] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.035] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0091.035] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0091.035] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0091.331] CloseHandle (hObject=0x20c) returned 1 [0091.332] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isspos.exe", cchWideChar=10, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isspos.exeice.exe.exexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.464] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0091.465] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.465] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.465] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0091.465] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0091.466] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0091.466] CloseHandle (hObject=0x20c) returned 1 [0091.467] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0091.468] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.468] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.468] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0091.468] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0091.468] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0091.468] CloseHandle (hObject=0x20c) returned 1 [0091.469] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0091.470] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.470] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.470] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0091.470] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0091.470] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0091.470] CloseHandle (hObject=0x20c) returned 1 [0091.471] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0091.472] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.472] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.472] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0091.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0091.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0091.472] CloseHandle (hObject=0x20c) returned 1 [0091.472] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0091.477] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.477] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.477] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0091.477] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0091.478] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0091.478] CloseHandle (hObject=0x20c) returned 1 [0091.479] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="utg2.exe", cchWideChar=8, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="utg2.exeservice.exexexens.exe.exe", lpUsedDefaultChar=0x0) returned 8 [0091.480] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exexeservice.exexexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.480] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0091.482] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.482] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.482] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0091.482] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0091.482] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0091.486] CloseHandle (hObject=0x20c) returned 1 [0091.640] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="compare brown worth.exe", cchWideChar=23, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="compare brown worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 23 [0091.641] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exee brown worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.641] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0091.642] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.643] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.643] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0091.643] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0091.643] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0091.643] CloseHandle (hObject=0x20c) returned 1 [0091.645] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="purchase.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="purchase.exen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0091.646] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exese.exen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.646] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0091.647] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.648] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.648] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0091.648] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0091.648] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0091.648] CloseHandle (hObject=0x20c) returned 1 [0091.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="timothy.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="timothy.exeen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0091.651] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exey.exeen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0091.651] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0091.652] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.652] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.653] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0091.653] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0091.653] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0091.653] CloseHandle (hObject=0x20c) returned 1 [0091.656] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0091.657] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.657] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.657] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0091.657] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0091.657] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0091.658] CloseHandle (hObject=0x20c) returned 1 [0091.658] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0091.806] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.806] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.806] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0091.807] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0091.807] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0091.807] CloseHandle (hObject=0x20c) returned 1 [0091.807] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0091.808] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.808] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.808] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0091.809] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0091.809] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0091.809] CloseHandle (hObject=0x20c) returned 1 [0091.809] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0091.810] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.810] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.810] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0091.810] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0091.811] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0091.811] CloseHandle (hObject=0x20c) returned 1 [0091.811] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0091.812] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.812] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.812] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0091.812] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0091.812] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0091.813] CloseHandle (hObject=0x20c) returned 1 [0091.813] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0091.814] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.814] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.814] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0091.814] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0091.814] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0091.814] CloseHandle (hObject=0x20c) returned 1 [0091.814] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0091.815] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.816] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.816] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0091.816] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0091.816] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0091.816] CloseHandle (hObject=0x20c) returned 1 [0091.816] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0091.817] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.818] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.818] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0091.818] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0091.818] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0091.818] CloseHandle (hObject=0x20c) returned 1 [0091.818] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0091.819] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.820] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.820] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0091.820] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0091.820] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0091.820] CloseHandle (hObject=0x20c) returned 1 [0091.820] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0091.821] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.821] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.821] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0091.821] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0091.822] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0091.822] CloseHandle (hObject=0x20c) returned 1 [0091.822] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0091.823] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.823] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.823] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0091.823] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0091.823] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0091.824] CloseHandle (hObject=0x20c) returned 1 [0091.824] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0091.825] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0091.825] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0091.825] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0091.825] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0091.825] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0091.825] CloseHandle (hObject=0x20c) returned 1 [0091.825] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0091.826] CloseHandle (hObject=0x208) returned 1 [0091.826] Sleep (dwMilliseconds=0x1) [0091.940] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0091.940] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e49738, cbMultiByte=10, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="backup.exeeisqlplussvc.exe") returned 10 [0091.941] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exe??", lpUsedDefaultChar=0x0) returned 10 [0091.941] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0091.943] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exep.exe??", lpUsedDefaultChar=0x0) returned 9 [0091.943] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0092.367] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0092.368] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.368] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.368] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0092.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exe", lpUsedDefaultChar=0x0) returned 10 [0092.369] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0092.370] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.370] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.370] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0092.370] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0092.370] GetLastError () returned 0x1f [0092.370] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0092.371] CloseHandle (hObject=0x20c) returned 1 [0092.429] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0092.430] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.431] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.431] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0092.431] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0092.431] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0092.431] CloseHandle (hObject=0x20c) returned 1 [0092.432] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0092.432] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.433] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.433] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0092.433] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0092.433] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.434] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.434] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0092.434] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0092.434] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0092.434] CloseHandle (hObject=0x20c) returned 1 [0092.434] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0092.435] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.435] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.435] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0092.435] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0092.436] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.436] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.436] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0092.436] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0092.437] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0092.437] CloseHandle (hObject=0x20c) returned 1 [0092.437] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0092.438] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.438] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.438] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0092.438] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0092.438] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0092.439] CloseHandle (hObject=0x20c) returned 1 [0092.439] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0092.440] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.440] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.440] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0092.440] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0092.440] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0092.440] CloseHandle (hObject=0x20c) returned 1 [0092.440] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.441] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.441] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.441] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0092.442] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.442] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.442] CloseHandle (hObject=0x20c) returned 1 [0092.450] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0092.451] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.451] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.451] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0092.451] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0092.452] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.452] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.452] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0092.452] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.453] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.453] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.453] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0092.453] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.453] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.454] CloseHandle (hObject=0x20c) returned 1 [0092.454] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0092.455] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.455] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.455] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0092.455] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.456] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.456] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.456] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0092.456] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.456] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.457] CloseHandle (hObject=0x20c) returned 1 [0092.457] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.457] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.458] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.458] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0092.458] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.569] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.570] CloseHandle (hObject=0x20c) returned 1 [0092.570] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.571] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.571] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.571] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0092.571] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.572] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.572] CloseHandle (hObject=0x20c) returned 1 [0092.572] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0092.574] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.574] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.574] CloseHandle (hObject=0x20c) returned 1 [0092.574] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.575] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.575] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0092.575] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.576] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.576] CloseHandle (hObject=0x20c) returned 1 [0092.576] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.577] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.577] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.577] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0092.577] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.577] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.578] CloseHandle (hObject=0x20c) returned 1 [0092.578] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.578] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.579] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.579] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0092.579] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.579] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.579] CloseHandle (hObject=0x20c) returned 1 [0092.579] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0092.580] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.581] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.581] CloseHandle (hObject=0x20c) returned 1 [0092.581] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.582] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.582] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.582] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0092.582] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.582] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.583] CloseHandle (hObject=0x20c) returned 1 [0092.583] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.584] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.584] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.584] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0092.584] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.585] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.585] CloseHandle (hObject=0x20c) returned 1 [0092.585] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.586] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.586] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.586] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0092.586] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.586] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.587] CloseHandle (hObject=0x20c) returned 1 [0092.587] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0092.587] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.588] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0092.588] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0092.588] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0092.588] CloseHandle (hObject=0x20c) returned 1 [0092.588] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0092.589] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.589] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.589] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0092.589] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0092.590] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0092.590] CloseHandle (hObject=0x20c) returned 1 [0092.590] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0092.591] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.591] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.591] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0092.591] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0092.591] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0092.592] CloseHandle (hObject=0x20c) returned 1 [0092.592] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.592] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.593] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.593] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0092.593] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.593] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.593] CloseHandle (hObject=0x20c) returned 1 [0092.593] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0092.594] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.594] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.594] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0092.594] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0092.595] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0092.595] CloseHandle (hObject=0x20c) returned 1 [0092.595] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0092.596] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.596] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.596] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0092.596] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0092.596] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0092.597] CloseHandle (hObject=0x20c) returned 1 [0092.597] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0092.597] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.598] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.598] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0092.598] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0092.598] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0092.598] CloseHandle (hObject=0x20c) returned 1 [0092.598] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0092.599] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.600] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.600] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0092.600] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0092.600] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0092.600] CloseHandle (hObject=0x20c) returned 1 [0092.600] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0092.601] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0092.601] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0092.601] GetLastError () returned 0x1f [0092.602] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0092.602] CloseHandle (hObject=0x20c) returned 1 [0092.742] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0092.743] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.744] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.744] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0092.744] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0092.745] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0092.745] CloseHandle (hObject=0x20c) returned 1 [0092.745] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0092.746] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.746] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.746] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0092.746] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0092.747] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0092.747] CloseHandle (hObject=0x20c) returned 1 [0092.752] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExperienceHost.exe", cchWideChar=23, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShellExperienceHost.exe", lpUsedDefaultChar=0x0) returned 23 [0092.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exexperienceHost.exe", lpUsedDefaultChar=0x0) returned 10 [0092.760] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0092.761] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0092.761] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0092.762] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0092.762] CloseHandle (hObject=0x20c) returned 1 [0092.765] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="RuntimeBroker.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RuntimeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 17 [0092.767] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 10 [0092.767] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0092.768] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.768] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.768] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0092.770] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="RuntimeBroker.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RuntimeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 17 [0092.771] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 10 [0092.771] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0092.772] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.773] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.773] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0092.774] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="RuntimeBroker.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RuntimeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 17 [0092.775] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 10 [0092.775] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0092.776] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.776] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.776] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0092.776] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.777] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0092.777] CloseHandle (hObject=0x20c) returned 1 [0092.778] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0092.778] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.778] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.778] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0092.778] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0092.779] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0092.779] CloseHandle (hObject=0x20c) returned 1 [0092.779] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0092.850] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.850] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.850] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0092.850] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0092.851] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.851] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.851] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0092.851] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0092.851] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0092.851] CloseHandle (hObject=0x20c) returned 1 [0092.852] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0092.852] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.852] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.852] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0092.852] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0092.853] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0092.853] CloseHandle (hObject=0x20c) returned 1 [0092.853] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0092.853] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.854] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.854] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0092.854] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0092.854] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0092.854] CloseHandle (hObject=0x20c) returned 1 [0092.854] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0092.855] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.855] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.855] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0092.855] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0092.855] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0092.855] CloseHandle (hObject=0x20c) returned 1 [0092.855] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0092.856] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.856] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.856] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0092.856] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0092.856] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0092.857] CloseHandle (hObject=0x20c) returned 1 [0092.857] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0092.857] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.895] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.895] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0092.895] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0092.895] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0092.896] CloseHandle (hObject=0x20c) returned 1 [0092.896] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0092.897] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.897] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.897] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0092.897] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0092.897] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0092.897] CloseHandle (hObject=0x20c) returned 1 [0092.897] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0092.898] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.898] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.898] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0092.898] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0092.898] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0092.898] CloseHandle (hObject=0x20c) returned 1 [0092.899] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0092.899] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.899] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.899] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0092.899] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0092.900] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0092.900] CloseHandle (hObject=0x20c) returned 1 [0092.900] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0092.900] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.900] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.901] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0092.901] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0092.901] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0092.901] CloseHandle (hObject=0x20c) returned 1 [0092.901] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0092.902] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.902] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.902] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0092.902] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0092.902] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0092.902] CloseHandle (hObject=0x20c) returned 1 [0092.902] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0092.903] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.903] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.903] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0092.903] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0092.903] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0092.903] CloseHandle (hObject=0x20c) returned 1 [0092.904] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0092.907] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.907] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.907] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0092.907] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0092.907] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0092.908] CloseHandle (hObject=0x20c) returned 1 [0092.908] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0092.908] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.908] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.908] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0092.908] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0092.909] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0092.909] CloseHandle (hObject=0x20c) returned 1 [0092.909] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0092.909] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.910] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.910] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0092.910] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0092.910] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0092.910] CloseHandle (hObject=0x20c) returned 1 [0092.910] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0092.911] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.911] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.911] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0092.911] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0092.911] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0092.911] CloseHandle (hObject=0x20c) returned 1 [0092.911] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0092.912] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.913] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.913] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0092.913] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0092.913] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0092.913] CloseHandle (hObject=0x20c) returned 1 [0092.913] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0092.914] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.914] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.914] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0092.915] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0092.915] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0092.915] CloseHandle (hObject=0x20c) returned 1 [0092.915] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0092.916] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.916] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.916] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0092.917] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0092.917] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0092.917] CloseHandle (hObject=0x20c) returned 1 [0092.917] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0092.918] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.918] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0092.918] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0092.918] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0092.918] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0092.919] CloseHandle (hObject=0x20c) returned 1 [0092.919] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0092.920] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0092.920] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.020] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0093.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0093.021] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0093.021] CloseHandle (hObject=0x20c) returned 1 [0093.021] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0093.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.022] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.022] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0093.022] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0093.023] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0093.023] CloseHandle (hObject=0x20c) returned 1 [0093.023] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0093.024] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.024] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.024] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0093.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0093.025] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0093.025] CloseHandle (hObject=0x20c) returned 1 [0093.025] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0093.026] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.026] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.026] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0093.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0093.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0093.027] CloseHandle (hObject=0x20c) returned 1 [0093.027] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0093.028] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.028] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.028] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0093.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0093.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0093.029] CloseHandle (hObject=0x20c) returned 1 [0093.029] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0093.173] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.173] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.173] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0093.173] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0093.174] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0093.174] CloseHandle (hObject=0x20c) returned 1 [0093.174] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0093.175] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.175] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.175] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0093.176] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0093.176] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0093.176] CloseHandle (hObject=0x20c) returned 1 [0093.176] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0093.177] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.178] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.178] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0093.178] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0093.178] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0093.178] CloseHandle (hObject=0x20c) returned 1 [0093.178] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0093.179] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.180] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.180] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0093.180] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0093.180] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0093.180] CloseHandle (hObject=0x20c) returned 1 [0093.180] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0093.182] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.182] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.182] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0093.182] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0093.182] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0093.182] CloseHandle (hObject=0x20c) returned 1 [0093.182] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0093.184] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.184] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.184] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0093.184] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0093.184] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0093.185] CloseHandle (hObject=0x20c) returned 1 [0093.185] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0093.190] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0093.190] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0093.190] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0093.190] CloseHandle (hObject=0x20c) returned 1 [0093.190] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0093.191] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.192] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.192] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0093.192] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0093.192] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0093.192] CloseHandle (hObject=0x20c) returned 1 [0093.192] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0093.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.193] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0093.193] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0093.194] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0093.194] CloseHandle (hObject=0x20c) returned 1 [0093.194] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0093.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0093.195] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0093.196] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0093.196] CloseHandle (hObject=0x20c) returned 1 [0093.196] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0093.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0093.198] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0093.199] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0093.199] CloseHandle (hObject=0x20c) returned 1 [0093.199] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0093.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.200] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.200] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0093.200] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0093.201] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0093.201] CloseHandle (hObject=0x20c) returned 1 [0093.202] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0093.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.203] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0093.203] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0093.204] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0093.204] CloseHandle (hObject=0x20c) returned 1 [0093.204] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0093.205] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0093.206] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0093.206] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0093.206] CloseHandle (hObject=0x20c) returned 1 [0093.206] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0093.207] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.207] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0093.208] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0093.208] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0093.208] CloseHandle (hObject=0x20c) returned 1 [0093.208] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0093.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0093.210] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0093.210] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0093.210] CloseHandle (hObject=0x20c) returned 1 [0093.210] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0093.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0093.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0093.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0093.212] CloseHandle (hObject=0x20c) returned 1 [0093.212] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0093.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0093.214] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0093.214] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0093.214] CloseHandle (hObject=0x20c) returned 1 [0093.214] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0093.215] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.215] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0093.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0093.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0093.216] CloseHandle (hObject=0x20c) returned 1 [0093.216] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0093.472] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.472] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.472] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0093.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0093.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0093.472] CloseHandle (hObject=0x20c) returned 1 [0093.473] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0093.474] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.474] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.474] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0093.474] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0093.474] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0093.474] CloseHandle (hObject=0x20c) returned 1 [0093.474] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0093.475] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.475] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.475] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0093.475] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0093.475] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0093.476] CloseHandle (hObject=0x20c) returned 1 [0093.476] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0093.476] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.477] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.477] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0093.477] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0093.477] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0093.477] CloseHandle (hObject=0x20c) returned 1 [0093.477] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0093.478] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.478] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.478] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0093.478] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0093.478] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0093.478] CloseHandle (hObject=0x20c) returned 1 [0093.479] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0093.479] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.479] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.479] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0093.480] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0093.480] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0093.480] CloseHandle (hObject=0x20c) returned 1 [0093.480] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0093.481] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.481] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.481] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0093.481] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0093.481] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0093.481] CloseHandle (hObject=0x20c) returned 1 [0093.481] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0093.482] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.484] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.484] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0093.484] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0093.484] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0093.484] CloseHandle (hObject=0x20c) returned 1 [0093.484] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0093.485] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.485] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.485] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0093.485] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0093.486] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0093.486] CloseHandle (hObject=0x20c) returned 1 [0093.486] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0093.487] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.487] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.487] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0093.487] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0093.487] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0093.487] CloseHandle (hObject=0x20c) returned 1 [0093.487] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0093.488] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.488] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.488] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0093.488] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0093.488] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0093.489] CloseHandle (hObject=0x20c) returned 1 [0093.489] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0093.489] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.490] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.490] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0093.490] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0093.490] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0093.490] CloseHandle (hObject=0x20c) returned 1 [0093.490] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0093.491] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.491] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.491] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0093.491] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0093.491] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0093.491] CloseHandle (hObject=0x20c) returned 1 [0093.491] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0093.492] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.492] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.492] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0093.492] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0093.493] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0093.493] CloseHandle (hObject=0x20c) returned 1 [0093.493] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0093.494] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.494] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.494] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0093.494] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0093.494] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0093.494] CloseHandle (hObject=0x20c) returned 1 [0093.494] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0093.495] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.495] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.495] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0093.495] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0093.496] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0093.496] CloseHandle (hObject=0x20c) returned 1 [0093.496] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0093.497] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.497] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.497] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0093.497] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0093.497] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0093.497] CloseHandle (hObject=0x20c) returned 1 [0093.497] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0093.498] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.498] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.498] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0093.498] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0093.499] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0093.499] CloseHandle (hObject=0x20c) returned 1 [0093.499] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0093.500] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.500] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.500] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0093.500] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0093.500] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0093.500] CloseHandle (hObject=0x20c) returned 1 [0093.500] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0093.501] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.501] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.501] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0093.501] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0093.501] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0093.501] CloseHandle (hObject=0x20c) returned 1 [0093.501] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0093.502] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.502] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.502] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0093.502] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0093.503] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0093.503] CloseHandle (hObject=0x20c) returned 1 [0093.503] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0093.504] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.504] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.504] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0093.504] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0093.504] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0093.504] CloseHandle (hObject=0x20c) returned 1 [0093.504] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0093.505] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.505] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.505] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0093.505] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0093.505] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0093.505] CloseHandle (hObject=0x20c) returned 1 [0093.505] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0093.506] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.506] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.506] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0093.506] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0093.507] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0093.507] CloseHandle (hObject=0x20c) returned 1 [0093.507] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0093.508] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.508] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.508] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0093.508] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0093.508] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0093.508] CloseHandle (hObject=0x20c) returned 1 [0093.508] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0093.509] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.509] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.509] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0093.509] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0093.509] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0093.509] CloseHandle (hObject=0x20c) returned 1 [0093.509] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0093.510] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.510] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.510] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0093.510] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0093.510] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0093.511] CloseHandle (hObject=0x20c) returned 1 [0093.511] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0093.511] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.511] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.511] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0093.512] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0093.512] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0093.512] CloseHandle (hObject=0x20c) returned 1 [0093.512] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0093.513] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.513] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.513] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0093.513] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0093.513] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0093.513] CloseHandle (hObject=0x20c) returned 1 [0093.513] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0093.607] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.608] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.608] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0093.608] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0093.608] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0093.608] CloseHandle (hObject=0x20c) returned 1 [0093.609] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0093.609] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.609] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.609] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0093.610] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0093.610] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0093.610] CloseHandle (hObject=0x20c) returned 1 [0093.610] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0093.611] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.611] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.611] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0093.611] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0093.611] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0093.611] CloseHandle (hObject=0x20c) returned 1 [0093.611] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0093.612] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.612] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.612] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0093.613] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0093.613] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0093.613] CloseHandle (hObject=0x20c) returned 1 [0093.613] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0093.614] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.614] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.614] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0093.614] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0093.614] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0093.614] CloseHandle (hObject=0x20c) returned 1 [0093.614] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.615] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.615] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.615] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0093.616] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0093.616] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0093.616] CloseHandle (hObject=0x20c) returned 1 [0093.616] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0093.617] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.617] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.617] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0093.617] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0093.618] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0093.618] CloseHandle (hObject=0x20c) returned 1 [0093.618] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0093.619] CloseHandle (hObject=0x208) returned 1 [0093.619] Sleep (dwMilliseconds=0x1) [0093.707] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0093.707] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e3a6c8, cbMultiByte=12, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="ccleaner.exesqlplussvc.exe") returned 12 [0093.708] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner.exe", cchWideChar=12, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner.exe", lpUsedDefaultChar=0x0) returned 12 [0093.709] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0093.709] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exener.exe", lpUsedDefaultChar=0x0) returned 9 [0093.709] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0093.727] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0093.728] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.728] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.728] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0093.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner.exe", cchWideChar=12, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner.exe\x09", lpUsedDefaultChar=0x0) returned 12 [0093.730] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0093.730] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.731] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.731] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0093.731] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0093.731] GetLastError () returned 0x1f [0093.731] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 0 [0093.731] CloseHandle (hObject=0x20c) returned 1 [0093.789] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0093.790] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.790] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.790] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0093.790] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0093.790] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0093.790] CloseHandle (hObject=0x20c) returned 1 [0093.791] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.791] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.791] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.791] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0093.791] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0093.792] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.792] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.792] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0093.792] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0093.792] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0093.793] CloseHandle (hObject=0x20c) returned 1 [0093.793] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0093.793] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.793] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.793] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0093.793] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0093.794] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.794] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.794] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0093.794] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0093.794] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0093.795] CloseHandle (hObject=0x20c) returned 1 [0093.795] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0093.796] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.796] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.796] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0093.796] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0093.796] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0093.796] CloseHandle (hObject=0x20c) returned 1 [0093.796] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0093.797] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.797] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.797] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0093.797] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0093.797] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10187bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0093.797] CloseHandle (hObject=0x20c) returned 1 [0093.798] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.798] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.798] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.798] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0093.798] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.799] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.799] CloseHandle (hObject=0x20c) returned 1 [0093.799] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0093.799] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.799] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.799] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0093.800] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0093.800] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.800] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.800] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0093.800] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.801] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.801] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.801] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0093.801] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.801] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.802] CloseHandle (hObject=0x20c) returned 1 [0093.802] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0093.802] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.802] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.802] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0093.802] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.803] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.803] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.803] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0093.803] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.803] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.804] CloseHandle (hObject=0x20c) returned 1 [0093.804] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.804] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.804] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.804] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0093.804] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.805] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.805] CloseHandle (hObject=0x20c) returned 1 [0093.805] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.805] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.806] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.806] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0093.806] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.806] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.806] CloseHandle (hObject=0x20c) returned 1 [0093.806] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.807] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.807] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.807] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0093.807] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.807] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.807] CloseHandle (hObject=0x20c) returned 1 [0093.807] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.808] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.808] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.808] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0093.808] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.808] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.808] CloseHandle (hObject=0x20c) returned 1 [0093.808] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.809] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.809] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.809] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0093.809] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.809] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.810] CloseHandle (hObject=0x20c) returned 1 [0093.810] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.810] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.810] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.810] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0093.811] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.811] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.811] CloseHandle (hObject=0x20c) returned 1 [0093.811] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.812] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.812] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.812] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0093.812] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.812] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.812] CloseHandle (hObject=0x20c) returned 1 [0093.812] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.813] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.813] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.813] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0093.813] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.813] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.813] CloseHandle (hObject=0x20c) returned 1 [0093.813] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.814] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.814] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.814] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0093.814] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.814] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.815] CloseHandle (hObject=0x20c) returned 1 [0093.815] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.815] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.815] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.815] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0093.815] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.816] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.816] CloseHandle (hObject=0x20c) returned 1 [0093.816] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0093.816] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.816] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.816] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0093.817] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0093.817] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0093.817] CloseHandle (hObject=0x20c) returned 1 [0093.817] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0093.818] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.818] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.818] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0093.818] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0093.818] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0093.818] CloseHandle (hObject=0x20c) returned 1 [0093.818] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0093.819] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.819] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.819] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0093.819] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0093.819] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0093.819] CloseHandle (hObject=0x20c) returned 1 [0093.819] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0093.820] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.820] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.820] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0093.820] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.820] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0093.820] CloseHandle (hObject=0x20c) returned 1 [0093.821] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0093.821] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.821] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.821] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0093.821] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0093.822] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0093.822] CloseHandle (hObject=0x20c) returned 1 [0093.822] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0093.822] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.822] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.822] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0093.823] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0093.823] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10186bc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0093.823] CloseHandle (hObject=0x20c) returned 1 [0093.823] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0093.824] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.824] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.824] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0093.824] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0093.824] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0093.824] CloseHandle (hObject=0x20c) returned 1 [0093.824] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0093.825] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.825] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.825] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0093.825] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0093.825] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0093.825] CloseHandle (hObject=0x20c) returned 1 [0093.825] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0093.826] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0093.993] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0093.993] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0093.993] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0093.994] GetLastError () returned 0x1f [0093.994] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0093.994] CloseHandle (hObject=0x20c) returned 1 [0094.005] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0094.006] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.006] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.006] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0094.006] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0094.007] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0094.007] CloseHandle (hObject=0x20c) returned 1 [0094.007] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0094.008] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.008] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.008] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0094.008] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0094.008] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0094.008] CloseHandle (hObject=0x20c) returned 1 [0094.008] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0094.009] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.009] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.009] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0094.009] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0094.009] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0094.010] CloseHandle (hObject=0x20c) returned 1 [0094.010] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0094.010] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.010] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.010] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0094.010] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0094.011] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.011] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.011] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0094.011] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0094.012] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.012] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.012] CloseHandle (hObject=0x20c) returned 1 [0094.013] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0094.013] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.013] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.013] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0094.013] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0094.014] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0094.015] CloseHandle (hObject=0x20c) returned 1 [0094.015] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0094.015] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.015] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.015] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0094.015] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0094.016] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.016] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.016] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0094.016] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0094.016] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0094.017] CloseHandle (hObject=0x20c) returned 1 [0094.017] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0094.017] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.017] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.017] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0094.017] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0094.018] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0094.018] CloseHandle (hObject=0x20c) returned 1 [0094.018] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0094.018] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.019] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.019] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0094.019] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0094.019] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0094.019] CloseHandle (hObject=0x20c) returned 1 [0094.019] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0094.020] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.020] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.020] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0094.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0094.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0094.020] CloseHandle (hObject=0x20c) returned 1 [0094.020] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0094.021] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.021] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.021] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0094.021] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0094.021] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0094.022] CloseHandle (hObject=0x20c) returned 1 [0094.022] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0094.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.022] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.022] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0094.022] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0094.023] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0094.023] CloseHandle (hObject=0x20c) returned 1 [0094.023] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0094.023] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.024] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.024] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0094.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0094.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0094.024] CloseHandle (hObject=0x20c) returned 1 [0094.024] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0094.025] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.025] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.025] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0094.025] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0094.025] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0094.025] CloseHandle (hObject=0x20c) returned 1 [0094.025] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0094.026] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.026] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.026] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0094.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0094.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0094.026] CloseHandle (hObject=0x20c) returned 1 [0094.027] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0094.027] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.027] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.027] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0094.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0094.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0094.028] CloseHandle (hObject=0x20c) returned 1 [0094.028] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0094.028] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.028] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.029] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0094.029] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0094.029] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0094.029] CloseHandle (hObject=0x20c) returned 1 [0094.084] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0094.085] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.085] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.085] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0094.085] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0094.086] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0094.086] CloseHandle (hObject=0x20c) returned 1 [0094.086] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0094.087] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.087] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.087] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0094.087] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0094.087] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0094.087] CloseHandle (hObject=0x20c) returned 1 [0094.087] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0094.088] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.088] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0094.088] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0094.088] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0094.089] CloseHandle (hObject=0x20c) returned 1 [0094.089] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0094.089] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.089] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0094.090] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0094.090] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0094.090] CloseHandle (hObject=0x20c) returned 1 [0094.090] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0094.091] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.091] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.091] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0094.091] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0094.091] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0094.091] CloseHandle (hObject=0x20c) returned 1 [0094.091] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0094.093] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.093] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.093] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0094.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0094.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0094.093] CloseHandle (hObject=0x20c) returned 1 [0094.093] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0094.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.095] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.095] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0094.095] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0094.095] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0094.095] CloseHandle (hObject=0x20c) returned 1 [0094.095] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0094.096] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.096] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.096] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0094.096] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0094.097] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0094.097] CloseHandle (hObject=0x20c) returned 1 [0094.097] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0094.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.098] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.098] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0094.098] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0094.098] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0094.098] CloseHandle (hObject=0x20c) returned 1 [0094.098] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0094.099] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.100] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.100] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0094.100] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0094.100] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0094.100] CloseHandle (hObject=0x20c) returned 1 [0094.100] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0094.101] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0094.102] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0094.102] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0094.102] CloseHandle (hObject=0x20c) returned 1 [0094.102] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0094.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.103] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0094.103] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0094.104] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0094.104] CloseHandle (hObject=0x20c) returned 1 [0094.104] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0094.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0094.105] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0094.105] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0094.105] CloseHandle (hObject=0x20c) returned 1 [0094.105] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0094.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.106] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.106] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0094.107] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0094.107] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0094.107] CloseHandle (hObject=0x20c) returned 1 [0094.107] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0094.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0094.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0094.114] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0094.114] CloseHandle (hObject=0x20c) returned 1 [0094.114] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0094.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0094.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0094.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0094.115] CloseHandle (hObject=0x20c) returned 1 [0094.115] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0094.116] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.116] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.116] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0094.117] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0094.117] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0094.117] CloseHandle (hObject=0x20c) returned 1 [0094.117] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0094.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.118] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.118] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0094.118] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0094.118] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0094.118] CloseHandle (hObject=0x20c) returned 1 [0094.119] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0094.120] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.120] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.120] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0094.120] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0094.120] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0094.120] CloseHandle (hObject=0x20c) returned 1 [0094.120] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0094.121] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.121] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.121] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0094.121] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0094.121] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0094.122] CloseHandle (hObject=0x20c) returned 1 [0094.122] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0094.123] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.194] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.194] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0094.194] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0094.195] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0094.195] CloseHandle (hObject=0x20c) returned 1 [0094.195] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0094.196] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0094.197] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0094.197] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0094.197] CloseHandle (hObject=0x20c) returned 1 [0094.197] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0094.199] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.199] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.199] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0094.199] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0094.199] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0094.199] CloseHandle (hObject=0x20c) returned 1 [0094.199] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0094.201] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.201] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.201] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0094.201] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0094.201] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0094.202] CloseHandle (hObject=0x20c) returned 1 [0094.202] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0094.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.203] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0094.203] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0094.203] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0094.204] CloseHandle (hObject=0x20c) returned 1 [0094.204] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0094.205] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0094.205] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0094.205] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0094.206] CloseHandle (hObject=0x20c) returned 1 [0094.206] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0094.207] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.207] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0094.207] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0094.207] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0094.208] CloseHandle (hObject=0x20c) returned 1 [0094.208] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0094.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0094.209] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0094.209] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0094.210] CloseHandle (hObject=0x20c) returned 1 [0094.210] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0094.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0094.211] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0094.211] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0094.212] CloseHandle (hObject=0x20c) returned 1 [0094.212] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0094.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0094.213] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0094.213] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0094.214] CloseHandle (hObject=0x20c) returned 1 [0094.214] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0094.215] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.215] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.215] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0094.215] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0094.215] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0094.216] CloseHandle (hObject=0x20c) returned 1 [0094.216] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0094.217] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.217] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.217] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0094.217] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0094.218] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0094.218] CloseHandle (hObject=0x20c) returned 1 [0094.218] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0094.219] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.219] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0094.219] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0094.220] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0094.220] CloseHandle (hObject=0x20c) returned 1 [0094.220] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0094.221] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.221] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.221] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0094.221] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0094.222] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0094.222] CloseHandle (hObject=0x20c) returned 1 [0094.222] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0094.223] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.223] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.223] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0094.223] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0094.224] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0094.224] CloseHandle (hObject=0x20c) returned 1 [0094.224] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0094.225] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.225] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.225] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0094.225] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0094.225] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0094.226] CloseHandle (hObject=0x20c) returned 1 [0094.226] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0094.227] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.227] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.227] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0094.227] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0094.227] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0094.228] CloseHandle (hObject=0x20c) returned 1 [0094.228] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0094.229] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.229] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.229] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0094.229] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0094.229] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0094.229] CloseHandle (hObject=0x20c) returned 1 [0094.230] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0094.231] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.231] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.231] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0094.231] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0094.231] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0094.231] CloseHandle (hObject=0x20c) returned 1 [0094.231] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0094.232] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.233] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.233] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0094.233] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0094.233] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0094.233] CloseHandle (hObject=0x20c) returned 1 [0094.233] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0094.234] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.234] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.235] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0094.235] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0094.235] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0094.235] CloseHandle (hObject=0x20c) returned 1 [0094.235] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0094.283] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.283] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.283] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0094.283] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0094.283] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0094.284] CloseHandle (hObject=0x20c) returned 1 [0094.284] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0094.285] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.285] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.285] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0094.285] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0094.285] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0094.286] CloseHandle (hObject=0x20c) returned 1 [0094.286] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0094.287] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.287] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.287] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0094.287] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0094.287] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0094.287] CloseHandle (hObject=0x20c) returned 1 [0094.288] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0094.289] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.289] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.289] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0094.289] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0094.289] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0094.289] CloseHandle (hObject=0x20c) returned 1 [0094.289] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0094.290] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.291] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.291] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0094.291] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0094.291] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0094.291] CloseHandle (hObject=0x20c) returned 1 [0094.291] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0094.292] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.292] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.292] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0094.293] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0094.293] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0094.293] CloseHandle (hObject=0x20c) returned 1 [0094.293] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0094.294] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.294] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.294] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0094.294] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0094.295] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0094.295] CloseHandle (hObject=0x20c) returned 1 [0094.295] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0094.296] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.297] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.297] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0094.297] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0094.297] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0094.297] CloseHandle (hObject=0x20c) returned 1 [0094.297] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0094.298] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.298] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.298] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0094.298] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0094.299] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0094.299] CloseHandle (hObject=0x20c) returned 1 [0094.299] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0094.300] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.300] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.300] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0094.300] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0094.301] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0094.301] CloseHandle (hObject=0x20c) returned 1 [0094.301] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0094.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0094.302] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0094.302] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0094.303] CloseHandle (hObject=0x20c) returned 1 [0094.303] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0094.304] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.304] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.304] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0094.304] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0094.304] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0094.304] CloseHandle (hObject=0x20c) returned 1 [0094.304] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0094.305] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.305] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.306] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0094.306] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0094.306] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0094.306] CloseHandle (hObject=0x20c) returned 1 [0094.306] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0094.307] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.307] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.307] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0094.307] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0094.308] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0094.308] CloseHandle (hObject=0x20c) returned 1 [0094.308] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0094.309] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.309] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.309] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0094.309] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0094.309] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0094.310] CloseHandle (hObject=0x20c) returned 1 [0094.310] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0094.311] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.311] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.311] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0094.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0094.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0094.312] CloseHandle (hObject=0x20c) returned 1 [0094.312] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0094.313] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.313] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.313] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0094.313] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0094.313] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0094.313] CloseHandle (hObject=0x20c) returned 1 [0094.313] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0094.314] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.314] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.315] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0094.315] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.315] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.315] CloseHandle (hObject=0x20c) returned 1 [0094.315] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0094.316] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.316] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.316] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0094.316] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0094.317] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0094.317] CloseHandle (hObject=0x20c) returned 1 [0094.317] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0094.318] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.318] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.318] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0094.318] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.318] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.318] CloseHandle (hObject=0x20c) returned 1 [0094.319] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0094.319] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.320] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.320] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0094.320] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0094.320] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0094.320] CloseHandle (hObject=0x20c) returned 1 [0094.320] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0094.321] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.321] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.321] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0094.321] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0094.322] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0094.322] CloseHandle (hObject=0x20c) returned 1 [0094.322] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0094.323] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.323] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.323] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0094.323] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0094.323] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0094.324] CloseHandle (hObject=0x20c) returned 1 [0094.324] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0094.325] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.325] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.325] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0094.325] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0094.325] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0094.325] CloseHandle (hObject=0x20c) returned 1 [0094.325] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.376] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.376] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.376] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0094.376] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0094.376] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0094.376] CloseHandle (hObject=0x20c) returned 1 [0094.377] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.377] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.377] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.377] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0094.378] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0094.378] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0094.378] CloseHandle (hObject=0x20c) returned 1 [0094.378] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0094.379] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.379] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.379] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0094.379] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0094.379] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0094.379] CloseHandle (hObject=0x20c) returned 1 [0094.380] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0094.380] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.380] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.380] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0094.380] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0094.381] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0094.381] CloseHandle (hObject=0x20c) returned 1 [0094.381] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0094.382] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.382] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.382] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x20c [0094.382] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0094.382] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0094.382] CloseHandle (hObject=0x20c) returned 1 [0094.382] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0094.383] CloseHandle (hObject=0x208) returned 1 [0094.383] Sleep (dwMilliseconds=0x1) [0094.440] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0094.440] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e3a6e8, cbMultiByte=14, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="ccleaner64.exelplussvc.exe") returned 14 [0094.441] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exe", lpUsedDefaultChar=0x0) returned 14 [0094.441] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0094.442] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exener64.exe", lpUsedDefaultChar=0x0) returned 9 [0094.442] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0094.453] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0094.453] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.453] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.454] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0094.455] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exe", lpUsedDefaultChar=0x0) returned 14 [0094.455] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0094.455] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.456] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.456] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0094.456] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0094.456] GetLastError () returned 0x1f [0094.456] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0094.456] CloseHandle (hObject=0x20c) returned 1 [0094.463] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0094.464] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.464] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.464] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0094.464] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0094.464] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0094.465] CloseHandle (hObject=0x20c) returned 1 [0094.465] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0094.465] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.465] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.465] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0094.466] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0094.466] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.466] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.466] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0094.466] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0094.466] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0094.467] CloseHandle (hObject=0x20c) returned 1 [0094.467] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0094.468] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.468] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.468] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0094.468] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0094.469] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.469] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.469] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0094.469] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0094.469] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0094.469] CloseHandle (hObject=0x20c) returned 1 [0094.470] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0094.470] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.470] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.470] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0094.470] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0094.471] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0094.471] CloseHandle (hObject=0x20c) returned 1 [0094.471] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0094.471] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.471] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.471] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0094.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0094.472] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101843c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0094.472] CloseHandle (hObject=0x20c) returned 1 [0094.472] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.473] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.473] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.473] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0094.473] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.473] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.473] CloseHandle (hObject=0x20c) returned 1 [0094.473] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0094.474] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.474] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.474] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0094.474] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0094.474] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.475] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.475] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0094.475] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.475] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.475] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.475] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0094.475] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.476] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.476] CloseHandle (hObject=0x20c) returned 1 [0094.476] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0094.476] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.477] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.477] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0094.477] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.477] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.477] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.477] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0094.477] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.478] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.478] CloseHandle (hObject=0x20c) returned 1 [0094.478] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.478] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.478] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.478] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0094.479] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.479] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.479] CloseHandle (hObject=0x20c) returned 1 [0094.479] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.480] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.480] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.480] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0094.480] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.480] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.480] CloseHandle (hObject=0x20c) returned 1 [0094.480] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.481] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.481] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.481] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0094.481] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.481] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.481] CloseHandle (hObject=0x20c) returned 1 [0094.481] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.482] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.482] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.482] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0094.482] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.533] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.533] CloseHandle (hObject=0x20c) returned 1 [0094.533] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.534] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.534] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0094.534] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.534] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.534] CloseHandle (hObject=0x20c) returned 1 [0094.534] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.535] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.535] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0094.535] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.535] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.536] CloseHandle (hObject=0x20c) returned 1 [0094.536] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.536] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.536] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.536] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0094.536] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.537] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.537] CloseHandle (hObject=0x20c) returned 1 [0094.537] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.537] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.537] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.537] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0094.537] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.538] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.538] CloseHandle (hObject=0x20c) returned 1 [0094.538] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.539] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.539] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0094.539] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.539] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.539] CloseHandle (hObject=0x20c) returned 1 [0094.539] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.540] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.540] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.540] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0094.540] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.540] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.540] CloseHandle (hObject=0x20c) returned 1 [0094.540] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0094.541] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.541] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.541] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0094.541] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0094.541] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0094.541] CloseHandle (hObject=0x20c) returned 1 [0094.541] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0094.542] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.542] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.542] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0094.542] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0094.542] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0094.542] CloseHandle (hObject=0x20c) returned 1 [0094.543] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0094.543] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.543] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.543] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0094.543] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0094.543] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0094.544] CloseHandle (hObject=0x20c) returned 1 [0094.544] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.544] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.544] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.544] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0094.544] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.545] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.545] CloseHandle (hObject=0x20c) returned 1 [0094.545] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0094.546] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.546] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.546] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0094.546] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.546] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.546] CloseHandle (hObject=0x20c) returned 1 [0094.546] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0094.547] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.547] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.547] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0094.547] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0094.547] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0094.547] CloseHandle (hObject=0x20c) returned 1 [0094.547] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0094.548] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.548] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.548] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0094.548] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0094.548] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0094.548] CloseHandle (hObject=0x20c) returned 1 [0094.549] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0094.549] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.549] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.549] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0094.549] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0094.549] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0094.550] CloseHandle (hObject=0x20c) returned 1 [0094.550] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0094.550] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.550] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.550] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0094.550] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0094.551] GetLastError () returned 0x1f [0094.551] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0094.551] CloseHandle (hObject=0x20c) returned 1 [0094.562] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0094.563] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.563] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.563] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0094.563] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0094.563] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0094.563] CloseHandle (hObject=0x20c) returned 1 [0094.563] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0094.564] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.564] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.564] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0094.564] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0094.564] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0094.564] CloseHandle (hObject=0x20c) returned 1 [0094.564] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0094.565] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.565] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.565] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0094.565] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0094.565] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0094.566] CloseHandle (hObject=0x20c) returned 1 [0094.566] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0094.566] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.566] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.566] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0094.566] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0094.567] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.567] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.567] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0094.567] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0094.568] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.568] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.568] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0094.568] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.568] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0094.568] CloseHandle (hObject=0x20c) returned 1 [0094.568] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0094.569] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.569] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.569] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0094.569] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0094.569] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0094.569] CloseHandle (hObject=0x20c) returned 1 [0094.569] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0094.570] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.570] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.570] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0094.570] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0094.571] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.571] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.571] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0094.571] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0094.571] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0094.571] CloseHandle (hObject=0x20c) returned 1 [0094.571] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0094.572] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.572] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.572] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0094.572] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0094.572] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0094.572] CloseHandle (hObject=0x20c) returned 1 [0094.572] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0094.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0094.573] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0094.573] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0094.574] CloseHandle (hObject=0x20c) returned 1 [0094.574] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0094.574] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.574] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.574] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0094.574] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0094.575] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0094.575] CloseHandle (hObject=0x20c) returned 1 [0094.575] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0094.575] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.575] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0094.576] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0094.576] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0094.576] CloseHandle (hObject=0x20c) returned 1 [0094.626] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="freedom.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="freedom.exeminum.exeexe", lpUsedDefaultChar=0x0) returned 11 [0094.627] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exeeminum.exeexe", lpUsedDefaultChar=0x0) returned 14 [0094.627] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0094.628] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.628] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.628] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0094.628] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0094.628] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0094.629] CloseHandle (hObject=0x20c) returned 1 [0094.632] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="discussion complement stretch.exe", cchWideChar=33, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="discussion complement stretch.exe", lpUsedDefaultChar=0x0) returned 33 [0094.633] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exe complement stretch.exe", lpUsedDefaultChar=0x0) returned 14 [0094.633] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0094.634] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.634] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.634] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0094.634] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0094.634] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0094.634] CloseHandle (hObject=0x20c) returned 1 [0094.636] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="grantsfillingraises.exe", cchWideChar=23, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="grantsfillingraises.exetretch.exe", lpUsedDefaultChar=0x0) returned 23 [0094.638] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exeingraises.exetretch.exe", lpUsedDefaultChar=0x0) returned 14 [0094.638] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0094.638] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.638] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.638] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0094.638] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0094.639] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0094.639] CloseHandle (hObject=0x20c) returned 1 [0094.640] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0094.641] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.641] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.641] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0094.641] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0094.641] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0094.642] CloseHandle (hObject=0x20c) returned 1 [0094.642] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0094.642] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.643] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.643] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0094.643] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0094.643] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0094.643] CloseHandle (hObject=0x20c) returned 1 [0094.643] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0094.644] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.644] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.644] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0094.644] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0094.644] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0094.644] CloseHandle (hObject=0x20c) returned 1 [0094.644] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0094.645] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.645] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.645] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0094.645] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0094.645] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0094.645] CloseHandle (hObject=0x20c) returned 1 [0094.646] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0094.646] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.646] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.646] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0094.646] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0094.646] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0094.647] CloseHandle (hObject=0x20c) returned 1 [0094.647] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0094.647] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.647] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.647] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0094.647] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0094.648] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0094.648] CloseHandle (hObject=0x20c) returned 1 [0094.648] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0094.648] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.648] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.649] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0094.649] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0094.649] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0094.649] CloseHandle (hObject=0x20c) returned 1 [0094.649] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0094.650] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.650] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.650] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0094.650] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0094.650] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0094.650] CloseHandle (hObject=0x20c) returned 1 [0094.650] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0094.651] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.651] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.651] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0094.651] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0094.651] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0094.652] CloseHandle (hObject=0x20c) returned 1 [0094.652] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0094.653] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.653] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.653] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0094.653] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0094.653] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0094.653] CloseHandle (hObject=0x20c) returned 1 [0094.653] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0094.655] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.655] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.655] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0094.655] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0094.655] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0094.655] CloseHandle (hObject=0x20c) returned 1 [0094.655] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0094.656] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.656] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.656] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0094.656] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0094.657] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0094.657] CloseHandle (hObject=0x20c) returned 1 [0094.657] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0094.658] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.658] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.658] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0094.658] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0094.658] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0094.658] CloseHandle (hObject=0x20c) returned 1 [0094.658] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0094.659] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.659] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.659] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0094.660] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0094.660] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0094.660] CloseHandle (hObject=0x20c) returned 1 [0094.660] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0094.661] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.661] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.661] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0094.661] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0094.661] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0094.662] CloseHandle (hObject=0x20c) returned 1 [0094.662] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0094.663] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.663] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.663] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0094.663] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0094.663] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0094.663] CloseHandle (hObject=0x20c) returned 1 [0094.663] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0094.664] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.664] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.664] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0094.664] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0094.665] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0094.665] CloseHandle (hObject=0x20c) returned 1 [0094.665] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0094.666] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.666] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.666] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0094.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0094.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0094.666] CloseHandle (hObject=0x20c) returned 1 [0094.666] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0094.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.667] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.667] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0094.667] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0094.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0094.668] CloseHandle (hObject=0x20c) returned 1 [0094.668] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0094.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.669] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.669] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0094.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0094.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0094.669] CloseHandle (hObject=0x20c) returned 1 [0094.669] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0094.721] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.721] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.721] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0094.721] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0094.722] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0094.722] CloseHandle (hObject=0x20c) returned 1 [0094.722] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0094.723] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.723] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.723] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0094.723] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0094.724] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0094.724] CloseHandle (hObject=0x20c) returned 1 [0094.724] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0094.725] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.725] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.725] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0094.725] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0094.726] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0094.726] CloseHandle (hObject=0x20c) returned 1 [0094.726] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0094.727] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.727] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.727] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0094.727] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0094.728] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0094.728] CloseHandle (hObject=0x20c) returned 1 [0094.728] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0094.729] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.729] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.730] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0094.730] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0094.730] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0094.730] CloseHandle (hObject=0x20c) returned 1 [0094.730] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0094.731] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.732] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.732] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0094.732] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0094.732] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0094.732] CloseHandle (hObject=0x20c) returned 1 [0094.732] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0094.734] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.734] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.734] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0094.734] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0094.734] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0094.734] CloseHandle (hObject=0x20c) returned 1 [0094.734] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0094.736] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.736] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.736] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0094.736] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0094.736] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0094.736] CloseHandle (hObject=0x20c) returned 1 [0094.736] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0094.738] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.738] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.738] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0094.738] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0094.738] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0094.738] CloseHandle (hObject=0x20c) returned 1 [0094.738] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0094.740] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.740] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.740] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0094.740] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0094.740] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0094.740] CloseHandle (hObject=0x20c) returned 1 [0094.740] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0094.742] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.742] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.742] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0094.742] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0094.742] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0094.742] CloseHandle (hObject=0x20c) returned 1 [0094.742] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0094.744] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.744] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.744] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0094.744] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0094.744] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0094.744] CloseHandle (hObject=0x20c) returned 1 [0094.744] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0094.746] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.746] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.746] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0094.746] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0094.746] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0094.746] CloseHandle (hObject=0x20c) returned 1 [0094.746] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0094.747] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.748] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.748] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0094.748] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0094.748] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0094.749] CloseHandle (hObject=0x20c) returned 1 [0094.749] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0094.750] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.750] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.750] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0094.750] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0094.750] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0094.750] CloseHandle (hObject=0x20c) returned 1 [0094.751] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0094.752] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.752] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.752] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0094.752] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0094.752] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0094.752] CloseHandle (hObject=0x20c) returned 1 [0094.752] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0094.754] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.754] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.754] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0094.754] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0094.754] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0094.754] CloseHandle (hObject=0x20c) returned 1 [0094.754] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0094.755] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.756] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.756] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0094.756] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0094.756] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0094.756] CloseHandle (hObject=0x20c) returned 1 [0094.756] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0094.757] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.757] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.758] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0094.758] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0094.758] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0094.758] CloseHandle (hObject=0x20c) returned 1 [0094.758] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0094.759] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.759] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.759] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0094.759] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0094.760] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0094.760] CloseHandle (hObject=0x20c) returned 1 [0094.760] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0094.761] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0094.761] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0094.762] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0094.762] CloseHandle (hObject=0x20c) returned 1 [0094.762] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0094.763] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.763] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.763] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0094.763] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0094.763] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0094.815] CloseHandle (hObject=0x20c) returned 1 [0094.815] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0094.816] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.816] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.816] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0094.816] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0094.817] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0094.817] CloseHandle (hObject=0x20c) returned 1 [0094.817] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0094.818] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.818] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.818] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0094.818] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0094.818] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0094.818] CloseHandle (hObject=0x20c) returned 1 [0094.818] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0094.819] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.819] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.819] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0094.819] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0094.819] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0094.820] CloseHandle (hObject=0x20c) returned 1 [0094.820] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0094.821] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.821] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.821] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0094.821] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0094.821] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0094.821] CloseHandle (hObject=0x20c) returned 1 [0094.821] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0094.822] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.822] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.822] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0094.822] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0094.822] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0094.822] CloseHandle (hObject=0x20c) returned 1 [0094.822] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0094.823] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.823] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.823] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0094.823] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0094.824] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0094.824] CloseHandle (hObject=0x20c) returned 1 [0094.824] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0094.825] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.825] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.825] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0094.825] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0094.825] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0094.825] CloseHandle (hObject=0x20c) returned 1 [0094.825] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0094.826] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.826] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.826] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0094.826] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0094.827] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0094.827] CloseHandle (hObject=0x20c) returned 1 [0094.827] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0094.828] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.828] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.828] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0094.828] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0094.828] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0094.828] CloseHandle (hObject=0x20c) returned 1 [0094.828] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0094.829] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.829] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.829] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0094.829] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0094.829] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0094.829] CloseHandle (hObject=0x20c) returned 1 [0094.830] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0094.830] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.830] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.830] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0094.830] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0094.831] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0094.831] CloseHandle (hObject=0x20c) returned 1 [0094.831] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0094.832] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.832] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.832] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0094.832] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0094.832] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0094.832] CloseHandle (hObject=0x20c) returned 1 [0094.832] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0094.833] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.833] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.833] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0094.833] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0094.833] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0094.834] CloseHandle (hObject=0x20c) returned 1 [0094.834] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0094.834] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.834] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.834] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0094.834] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0094.835] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0094.835] CloseHandle (hObject=0x20c) returned 1 [0094.835] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0094.836] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.836] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.836] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0094.836] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0094.836] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0094.836] CloseHandle (hObject=0x20c) returned 1 [0094.836] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0094.837] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.837] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.837] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0094.837] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0094.837] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0094.838] CloseHandle (hObject=0x20c) returned 1 [0094.838] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0094.838] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.838] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.838] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0094.838] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0094.839] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0094.839] CloseHandle (hObject=0x20c) returned 1 [0094.839] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0094.840] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.840] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.840] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0094.840] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0094.840] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0094.840] CloseHandle (hObject=0x20c) returned 1 [0094.840] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0094.841] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.841] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.841] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0094.841] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0094.841] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0094.841] CloseHandle (hObject=0x20c) returned 1 [0094.842] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0094.843] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.843] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.843] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0094.843] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.843] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.843] CloseHandle (hObject=0x20c) returned 1 [0094.843] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0094.844] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.844] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.844] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0094.844] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0094.844] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0094.845] CloseHandle (hObject=0x20c) returned 1 [0094.845] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0094.845] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.845] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.845] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0094.845] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.846] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0094.846] CloseHandle (hObject=0x20c) returned 1 [0094.846] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0094.847] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.847] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.847] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0094.847] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0094.847] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0094.847] CloseHandle (hObject=0x20c) returned 1 [0094.847] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0094.848] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.848] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.848] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0094.848] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0094.848] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0094.848] CloseHandle (hObject=0x20c) returned 1 [0094.848] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0094.849] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.849] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.849] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0094.849] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0094.849] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0094.850] CloseHandle (hObject=0x20c) returned 1 [0094.850] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0094.850] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.850] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.850] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0094.851] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0094.851] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0094.851] CloseHandle (hObject=0x20c) returned 1 [0094.851] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.852] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.852] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.852] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0094.852] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0094.852] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0094.852] CloseHandle (hObject=0x20c) returned 1 [0094.852] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0094.853] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.853] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.853] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0094.853] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0094.853] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0094.853] CloseHandle (hObject=0x20c) returned 1 [0094.853] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0094.854] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.854] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.854] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0094.854] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0094.854] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0094.855] CloseHandle (hObject=0x20c) returned 1 [0094.855] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0094.855] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.855] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.855] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0094.855] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0094.856] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0094.856] CloseHandle (hObject=0x20c) returned 1 [0094.856] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0094.856] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0094.857] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0094.857] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x20c [0094.857] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0094.857] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0094.857] CloseHandle (hObject=0x20c) returned 1 [0094.857] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0094.940] CloseHandle (hObject=0x208) returned 1 [0094.940] Sleep (dwMilliseconds=0x1) [0094.989] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0094.989] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e497b0, cbMultiByte=11, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="dbeng50.exeexelplussvc.exe") returned 11 [0094.991] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exe?", lpUsedDefaultChar=0x0) returned 11 [0094.991] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0094.992] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe50.exe?", lpUsedDefaultChar=0x0) returned 9 [0094.992] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0095.005] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0095.006] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.006] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.006] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0095.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exe", lpUsedDefaultChar=0x0) returned 11 [0095.008] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0095.009] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.009] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.009] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0095.009] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0095.009] GetLastError () returned 0x1f [0095.009] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0095.009] CloseHandle (hObject=0x20c) returned 1 [0095.019] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0095.020] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.020] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.020] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0095.021] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0095.021] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101843c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0095.021] CloseHandle (hObject=0x20c) returned 1 [0095.021] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.022] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.022] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0095.022] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0095.023] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.023] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.023] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0095.023] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0095.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0095.024] CloseHandle (hObject=0x20c) returned 1 [0095.024] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.025] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.025] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.025] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0095.025] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0095.026] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.026] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.026] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0095.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0095.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0095.027] CloseHandle (hObject=0x20c) returned 1 [0095.027] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0095.028] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.028] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.028] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0095.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0095.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0095.029] CloseHandle (hObject=0x20c) returned 1 [0095.029] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0095.029] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.030] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.030] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0095.030] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0095.030] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0095.030] CloseHandle (hObject=0x20c) returned 1 [0095.030] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.031] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.031] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.081] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0095.081] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.081] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.081] CloseHandle (hObject=0x20c) returned 1 [0095.082] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0095.082] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.083] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.083] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0095.083] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0095.084] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.084] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.084] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0095.084] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.085] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.085] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.085] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0095.085] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.085] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.085] CloseHandle (hObject=0x20c) returned 1 [0095.086] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0095.086] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.086] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.087] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0095.087] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.087] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.087] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0095.088] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.088] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.088] CloseHandle (hObject=0x20c) returned 1 [0095.088] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.089] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.089] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.089] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0095.089] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.090] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.090] CloseHandle (hObject=0x20c) returned 1 [0095.090] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.091] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.091] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.091] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0095.091] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.091] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.091] CloseHandle (hObject=0x20c) returned 1 [0095.092] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.093] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.093] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.093] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0095.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.093] CloseHandle (hObject=0x20c) returned 1 [0095.093] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.094] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.094] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0095.094] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.095] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.095] CloseHandle (hObject=0x20c) returned 1 [0095.095] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.095] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.095] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.096] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0095.096] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.096] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.096] CloseHandle (hObject=0x20c) returned 1 [0095.096] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.097] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0095.097] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.097] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.097] CloseHandle (hObject=0x20c) returned 1 [0095.097] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.098] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.098] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0095.098] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.098] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.099] CloseHandle (hObject=0x20c) returned 1 [0095.099] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.099] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.099] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0095.100] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.100] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.100] CloseHandle (hObject=0x20c) returned 1 [0095.100] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.101] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.101] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.101] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0095.101] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.101] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.102] CloseHandle (hObject=0x20c) returned 1 [0095.102] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.103] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0095.103] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.103] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.103] CloseHandle (hObject=0x20c) returned 1 [0095.103] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0095.104] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0095.104] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0095.105] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0095.105] CloseHandle (hObject=0x20c) returned 1 [0095.105] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0095.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.106] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.106] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0095.106] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0095.106] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0095.107] CloseHandle (hObject=0x20c) returned 1 [0095.107] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0095.108] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.108] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.108] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0095.109] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0095.109] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0095.109] CloseHandle (hObject=0x20c) returned 1 [0095.109] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.110] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.110] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0095.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.111] CloseHandle (hObject=0x20c) returned 1 [0095.111] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0095.112] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.112] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.112] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0095.112] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0095.112] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0095.112] CloseHandle (hObject=0x20c) returned 1 [0095.112] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0095.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0095.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0095.114] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101843c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0095.114] CloseHandle (hObject=0x20c) returned 1 [0095.114] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0095.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0095.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0095.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0095.116] CloseHandle (hObject=0x20c) returned 1 [0095.116] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0095.116] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.117] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.117] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0095.117] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0095.117] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0095.117] CloseHandle (hObject=0x20c) returned 1 [0095.117] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0095.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.118] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.118] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0095.118] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0095.118] GetLastError () returned 0x1f [0095.119] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0095.119] CloseHandle (hObject=0x20c) returned 1 [0095.181] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0095.182] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.182] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.182] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0095.182] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0095.183] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0095.183] CloseHandle (hObject=0x20c) returned 1 [0095.183] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0095.184] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.184] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.184] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0095.184] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0095.184] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0095.184] CloseHandle (hObject=0x20c) returned 1 [0095.184] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0095.185] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.185] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.185] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0095.186] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0095.186] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0095.186] CloseHandle (hObject=0x20c) returned 1 [0095.186] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0095.187] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.187] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.187] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0095.187] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0095.188] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.188] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.188] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0095.188] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0095.189] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.189] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.189] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0095.189] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.189] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0095.189] CloseHandle (hObject=0x20c) returned 1 [0095.189] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0095.190] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0095.190] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0095.191] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0095.191] CloseHandle (hObject=0x20c) returned 1 [0095.191] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0095.192] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.192] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.192] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0095.192] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0095.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.193] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0095.193] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0095.193] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0095.193] CloseHandle (hObject=0x20c) returned 1 [0095.193] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0095.194] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.194] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.194] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0095.194] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0095.195] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0095.195] CloseHandle (hObject=0x20c) returned 1 [0095.195] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0095.196] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.196] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.196] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0095.196] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0095.196] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0095.197] CloseHandle (hObject=0x20c) returned 1 [0095.197] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0095.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0095.197] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0095.198] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0095.198] CloseHandle (hObject=0x20c) returned 1 [0095.198] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0095.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.199] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.199] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0095.199] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0095.199] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0095.200] CloseHandle (hObject=0x20c) returned 1 [0095.200] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0095.201] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.201] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.201] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0095.201] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0095.201] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0095.202] CloseHandle (hObject=0x20c) returned 1 [0095.202] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0095.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.203] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0095.203] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0095.203] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0095.203] CloseHandle (hObject=0x20c) returned 1 [0095.203] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0095.204] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.204] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.204] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0095.204] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0095.204] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0095.205] CloseHandle (hObject=0x20c) returned 1 [0095.205] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0095.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.206] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.206] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0095.206] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0095.206] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0095.206] CloseHandle (hObject=0x20c) returned 1 [0095.206] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0095.207] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.207] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0095.207] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0095.208] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0095.208] CloseHandle (hObject=0x20c) returned 1 [0095.208] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0095.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0095.209] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0095.209] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0095.209] CloseHandle (hObject=0x20c) returned 1 [0095.210] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0095.210] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.210] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.210] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0095.211] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0095.211] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0095.211] CloseHandle (hObject=0x20c) returned 1 [0095.211] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0095.212] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.212] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.212] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0095.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0095.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0095.213] CloseHandle (hObject=0x20c) returned 1 [0095.213] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0095.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0095.214] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0095.214] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0095.214] CloseHandle (hObject=0x20c) returned 1 [0095.214] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0095.215] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.215] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.215] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0095.215] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0095.215] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0095.215] CloseHandle (hObject=0x20c) returned 1 [0095.215] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0095.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0095.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0095.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0095.217] CloseHandle (hObject=0x20c) returned 1 [0095.318] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="azresolve.exe", cchWideChar=13, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="azresolve.exeatical.exens.exe.exe", lpUsedDefaultChar=0x0) returned 13 [0095.319] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeve.exeatical.exens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.319] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0095.320] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.320] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.320] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0095.321] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0095.321] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0095.321] CloseHandle (hObject=0x20c) returned 1 [0095.323] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="shawscenic.exe", cchWideChar=14, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shawscenic.exetical.exens.exe.exe", lpUsedDefaultChar=0x0) returned 14 [0095.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exenic.exetical.exens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.324] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0095.326] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.327] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.327] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0095.327] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0095.327] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0095.327] CloseHandle (hObject=0x20c) returned 1 [0095.330] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="illinois combo.exe", cchWideChar=18, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="illinois combo.exel.exens.exe.exe", lpUsedDefaultChar=0x0) returned 18 [0095.331] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exes combo.exel.exens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.331] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0095.333] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.333] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.333] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0095.333] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0095.333] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0095.333] CloseHandle (hObject=0x20c) returned 1 [0095.336] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dat_kenny_ladder.exe", cchWideChar=20, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dat_kenny_ladder.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 20 [0095.337] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeny_ladder.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.337] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0095.339] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.339] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.339] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0095.339] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0095.340] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0095.340] CloseHandle (hObject=0x20c) returned 1 [0095.341] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0095.342] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.342] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.342] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0095.342] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0095.343] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0095.343] CloseHandle (hObject=0x20c) returned 1 [0095.344] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0095.345] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.345] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.345] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0095.345] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0095.345] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0095.346] CloseHandle (hObject=0x20c) returned 1 [0095.346] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0095.347] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.347] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.347] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0095.347] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0095.347] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0095.348] CloseHandle (hObject=0x20c) returned 1 [0095.348] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0095.349] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.349] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.349] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0095.349] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0095.350] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0095.350] CloseHandle (hObject=0x20c) returned 1 [0095.350] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0095.351] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.351] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.351] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0095.351] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0095.352] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0095.352] CloseHandle (hObject=0x20c) returned 1 [0095.352] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0095.353] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.353] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.354] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0095.354] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0095.354] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0095.354] CloseHandle (hObject=0x20c) returned 1 [0095.354] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0095.355] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.356] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.356] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0095.356] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0095.356] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0095.356] CloseHandle (hObject=0x20c) returned 1 [0095.356] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0095.445] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.445] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.445] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0095.445] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0095.446] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0095.446] CloseHandle (hObject=0x20c) returned 1 [0095.446] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0095.447] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.448] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.448] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0095.448] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0095.448] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0095.448] CloseHandle (hObject=0x20c) returned 1 [0095.448] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0095.450] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.450] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0095.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0095.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0095.451] CloseHandle (hObject=0x20c) returned 1 [0095.451] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0095.452] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.453] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.453] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0095.453] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0095.453] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0095.453] CloseHandle (hObject=0x20c) returned 1 [0095.453] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0095.455] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.455] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.455] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0095.455] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0095.455] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0095.455] CloseHandle (hObject=0x20c) returned 1 [0095.455] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0095.457] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.457] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.457] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0095.457] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0095.457] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0095.457] CloseHandle (hObject=0x20c) returned 1 [0095.458] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0095.459] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.459] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.459] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0095.459] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0095.459] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0095.460] CloseHandle (hObject=0x20c) returned 1 [0095.460] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0095.461] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.461] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.461] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0095.461] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0095.462] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0095.462] CloseHandle (hObject=0x20c) returned 1 [0095.462] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0095.463] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.463] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.463] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0095.463] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0095.464] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0095.464] CloseHandle (hObject=0x20c) returned 1 [0095.464] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0095.465] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.465] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.465] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0095.466] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0095.466] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0095.466] CloseHandle (hObject=0x20c) returned 1 [0095.466] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0095.469] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.469] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.469] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0095.469] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0095.469] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0095.469] CloseHandle (hObject=0x20c) returned 1 [0095.469] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0095.471] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.471] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.471] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0095.471] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0095.471] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0095.472] CloseHandle (hObject=0x20c) returned 1 [0095.472] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0095.473] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.473] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.473] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0095.473] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0095.473] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0095.474] CloseHandle (hObject=0x20c) returned 1 [0095.474] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0095.475] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.475] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.475] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0095.475] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0095.476] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0095.476] CloseHandle (hObject=0x20c) returned 1 [0095.476] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0095.477] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.477] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.477] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0095.477] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0095.478] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0095.478] CloseHandle (hObject=0x20c) returned 1 [0095.478] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0095.479] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.479] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.479] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0095.479] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0095.480] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0095.480] CloseHandle (hObject=0x20c) returned 1 [0095.480] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0095.481] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.481] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.481] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0095.481] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0095.481] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0095.481] CloseHandle (hObject=0x20c) returned 1 [0095.481] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0095.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.534] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.534] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0095.534] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0095.535] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0095.535] CloseHandle (hObject=0x20c) returned 1 [0095.535] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0095.536] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.536] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.537] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0095.537] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0095.537] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0095.537] CloseHandle (hObject=0x20c) returned 1 [0095.537] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0095.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0095.539] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0095.539] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0095.539] CloseHandle (hObject=0x20c) returned 1 [0095.539] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0095.540] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.540] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.540] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0095.540] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0095.541] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0095.541] CloseHandle (hObject=0x20c) returned 1 [0095.541] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0095.542] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.542] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.542] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0095.542] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0095.543] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0095.543] CloseHandle (hObject=0x20c) returned 1 [0095.543] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0095.544] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.544] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.544] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0095.544] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0095.544] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0095.545] CloseHandle (hObject=0x20c) returned 1 [0095.546] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 17 [0095.547] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.execharge.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.547] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0095.548] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.549] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.549] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0095.549] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0095.549] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0095.549] CloseHandle (hObject=0x20c) returned 1 [0095.551] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="accupos.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accupos.exege.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.552] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exe.exege.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.552] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0095.553] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.553] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.553] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0095.553] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0095.554] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0095.554] CloseHandle (hObject=0x20c) returned 1 [0095.555] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="afr38.exe", cchWideChar=9, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="afr38.exexege.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 9 [0095.556] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exexexege.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.556] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0095.557] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.557] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.557] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0095.557] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0095.557] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0095.558] CloseHandle (hObject=0x20c) returned 1 [0095.559] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="aldelo.exe", cchWideChar=10, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aldelo.exeege.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0095.560] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeexeege.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.560] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0095.561] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.561] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.561] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0095.562] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0095.562] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0095.562] CloseHandle (hObject=0x20c) returned 1 [0095.563] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccv_server.exe", cchWideChar=14, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccv_server.exeexeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 14 [0095.565] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exever.exeexeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.565] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0095.566] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.566] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.566] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0095.566] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0095.566] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0095.566] CloseHandle (hObject=0x20c) returned 1 [0095.567] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0095.568] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.568] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.568] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0095.568] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0095.569] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0095.569] CloseHandle (hObject=0x20c) returned 1 [0095.569] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0095.570] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.570] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.570] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0095.570] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0095.571] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0095.571] CloseHandle (hObject=0x20c) returned 1 [0095.571] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0095.572] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.572] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.572] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0095.572] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0095.572] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0095.573] CloseHandle (hObject=0x20c) returned 1 [0095.573] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0095.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.574] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0095.574] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0095.574] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0095.574] CloseHandle (hObject=0x20c) returned 1 [0095.574] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0095.575] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.575] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0095.575] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0095.575] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0095.575] CloseHandle (hObject=0x20c) returned 1 [0095.575] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0095.628] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.628] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.628] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0095.628] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0095.629] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0095.629] CloseHandle (hObject=0x20c) returned 1 [0095.629] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0095.630] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.630] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.630] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0095.630] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0095.630] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0095.630] CloseHandle (hObject=0x20c) returned 1 [0095.630] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0095.631] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.631] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.631] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0095.631] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0095.632] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0095.632] CloseHandle (hObject=0x20c) returned 1 [0095.632] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0095.633] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.633] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.633] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0095.633] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0095.633] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0095.633] CloseHandle (hObject=0x20c) returned 1 [0095.633] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0095.634] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.634] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.634] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0095.634] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0095.635] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0095.635] CloseHandle (hObject=0x20c) returned 1 [0095.635] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0095.636] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.636] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.636] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0095.636] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0095.637] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0095.637] CloseHandle (hObject=0x20c) returned 1 [0095.637] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0095.638] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.638] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.638] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0095.638] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0095.639] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0095.639] CloseHandle (hObject=0x20c) returned 1 [0095.641] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="timothy.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="timothy.exeen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.642] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exe.exeen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.642] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0095.643] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.643] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.643] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0095.643] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0095.644] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0095.644] CloseHandle (hObject=0x20c) returned 1 [0095.647] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="across-camel-teachers.exe", cchWideChar=25, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="across-camel-teachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 25 [0095.649] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.execamel-teachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.649] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0095.650] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.650] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.650] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0095.650] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0095.651] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0095.651] CloseHandle (hObject=0x20c) returned 1 [0095.652] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="pst.exe", cchWideChar=7, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pst.execamel-teachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 7 [0095.653] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.execamel-teachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.653] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0095.654] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.654] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.654] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0095.654] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0095.655] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0095.655] CloseHandle (hObject=0x20c) returned 1 [0095.657] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exeteachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 13 [0095.658] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exetw.exeteachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0095.658] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0095.659] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.659] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.659] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0095.659] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0095.659] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0095.660] CloseHandle (hObject=0x20c) returned 1 [0095.661] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0095.662] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.662] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.662] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0095.662] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0095.663] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0095.663] CloseHandle (hObject=0x20c) returned 1 [0095.663] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0095.664] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.664] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.664] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0095.664] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0095.665] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0095.665] CloseHandle (hObject=0x20c) returned 1 [0095.665] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0095.666] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.666] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.666] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0095.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0095.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0095.666] CloseHandle (hObject=0x20c) returned 1 [0095.667] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0095.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.667] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.667] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0095.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0095.668] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0095.668] CloseHandle (hObject=0x20c) returned 1 [0095.668] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0095.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.669] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.669] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0095.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0095.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0095.670] CloseHandle (hObject=0x20c) returned 1 [0095.789] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0095.790] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.790] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.790] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0095.791] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0095.791] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0095.791] CloseHandle (hObject=0x20c) returned 1 [0095.791] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0095.792] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.792] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.792] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0095.792] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0095.793] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0095.793] CloseHandle (hObject=0x20c) returned 1 [0095.793] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0095.794] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.794] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.794] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0095.794] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0095.794] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0095.795] CloseHandle (hObject=0x20c) returned 1 [0095.795] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0095.796] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.796] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.796] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0095.796] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0095.797] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0095.797] CloseHandle (hObject=0x20c) returned 1 [0095.797] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0095.798] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0095.798] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0095.798] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x20c [0095.798] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0095.798] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0095.798] CloseHandle (hObject=0x20c) returned 1 [0095.799] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0095.799] CloseHandle (hObject=0x208) returned 1 [0095.800] Sleep (dwMilliseconds=0x1) [0095.927] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0095.927] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e497c8, cbMultiByte=10, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="dbsnmp.exeeexelplussvc.exe") returned 10 [0095.928] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exe??", lpUsedDefaultChar=0x0) returned 10 [0095.928] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0095.930] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exep.exe??", lpUsedDefaultChar=0x0) returned 9 [0095.930] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0096.001] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.002] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.002] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.002] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0096.003] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exe", lpUsedDefaultChar=0x0) returned 10 [0096.003] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0096.004] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0096.004] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0096.004] GetLastError () returned 0x1f [0096.005] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0096.005] CloseHandle (hObject=0x20c) returned 1 [0096.018] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0096.019] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.019] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.019] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0096.019] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0096.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0096.020] CloseHandle (hObject=0x20c) returned 1 [0096.020] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.021] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.021] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.021] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0096.021] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0096.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.022] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.022] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0096.022] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0096.022] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0096.022] CloseHandle (hObject=0x20c) returned 1 [0096.023] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.023] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.023] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.023] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0096.023] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0096.024] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.024] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.024] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0096.024] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0096.025] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0096.025] CloseHandle (hObject=0x20c) returned 1 [0096.025] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0096.026] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.026] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.026] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0096.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0096.026] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0096.026] CloseHandle (hObject=0x20c) returned 1 [0096.026] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0096.027] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.027] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.027] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0096.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0096.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101843c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0096.028] CloseHandle (hObject=0x20c) returned 1 [0096.028] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.028] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.028] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.028] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0096.028] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.029] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.029] CloseHandle (hObject=0x20c) returned 1 [0096.029] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0096.031] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.031] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.031] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0096.031] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0096.032] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.032] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.032] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0096.032] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.033] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.033] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.033] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0096.033] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.033] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.033] CloseHandle (hObject=0x20c) returned 1 [0096.033] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0096.034] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.034] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.034] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0096.034] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.035] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.035] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.035] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0096.035] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.035] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.040] CloseHandle (hObject=0x20c) returned 1 [0096.040] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.041] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.041] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.041] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0096.041] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.042] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.042] CloseHandle (hObject=0x20c) returned 1 [0096.042] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.042] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.043] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.043] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0096.043] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.043] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.043] CloseHandle (hObject=0x20c) returned 1 [0096.043] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.044] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.044] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.044] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0096.044] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.044] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.044] CloseHandle (hObject=0x20c) returned 1 [0096.045] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.099] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.100] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0096.100] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.100] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.100] CloseHandle (hObject=0x20c) returned 1 [0096.100] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.101] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.101] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.101] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0096.101] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.101] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.102] CloseHandle (hObject=0x20c) returned 1 [0096.102] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.102] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0096.102] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.103] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.103] CloseHandle (hObject=0x20c) returned 1 [0096.103] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.104] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0096.104] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.104] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.104] CloseHandle (hObject=0x20c) returned 1 [0096.104] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0096.105] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.105] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.106] CloseHandle (hObject=0x20c) returned 1 [0096.106] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.106] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.106] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0096.106] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.107] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.107] CloseHandle (hObject=0x20c) returned 1 [0096.107] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.108] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.108] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.108] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0096.108] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.108] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.108] CloseHandle (hObject=0x20c) returned 1 [0096.109] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0096.109] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0096.109] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0096.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0096.110] CloseHandle (hObject=0x20c) returned 1 [0096.110] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0096.111] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.111] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.111] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0096.111] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0096.111] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0096.111] CloseHandle (hObject=0x20c) returned 1 [0096.111] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0096.112] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.112] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.112] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0096.112] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0096.112] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0096.113] CloseHandle (hObject=0x20c) returned 1 [0096.113] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0096.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.114] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.114] CloseHandle (hObject=0x20c) returned 1 [0096.114] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0096.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0096.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0096.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0096.115] CloseHandle (hObject=0x20c) returned 1 [0096.115] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0096.116] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.116] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.116] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0096.116] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0096.116] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0096.116] CloseHandle (hObject=0x20c) returned 1 [0096.116] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0096.117] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.117] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.117] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0096.117] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0096.118] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0096.118] CloseHandle (hObject=0x20c) returned 1 [0096.118] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0096.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.118] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0096.119] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0096.119] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0096.119] CloseHandle (hObject=0x20c) returned 1 [0096.119] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0096.120] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.120] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.120] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0096.120] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0096.120] GetLastError () returned 0x1f [0096.120] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0096.120] CloseHandle (hObject=0x20c) returned 1 [0096.134] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0096.135] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.135] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.135] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0096.135] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0096.135] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0096.136] CloseHandle (hObject=0x20c) returned 1 [0096.136] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0096.136] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.136] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.137] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0096.137] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0096.137] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0096.137] CloseHandle (hObject=0x20c) returned 1 [0096.137] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0096.138] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.138] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.138] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0096.138] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0096.139] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0096.139] CloseHandle (hObject=0x20c) returned 1 [0096.139] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0096.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.193] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0096.193] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0096.194] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.194] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.194] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0096.194] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0096.195] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.195] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.195] CloseHandle (hObject=0x20c) returned 1 [0096.195] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0096.196] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.196] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.196] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0096.196] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0096.197] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0096.197] CloseHandle (hObject=0x20c) returned 1 [0096.197] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0096.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0096.198] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0096.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0096.198] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0096.199] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0096.199] CloseHandle (hObject=0x20c) returned 1 [0096.199] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0096.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.200] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.200] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0096.200] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0096.200] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0096.201] CloseHandle (hObject=0x20c) returned 1 [0096.201] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0096.202] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0096.202] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0096.203] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0096.203] CloseHandle (hObject=0x20c) returned 1 [0096.203] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0096.204] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.204] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.204] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0096.204] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0096.205] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0096.205] CloseHandle (hObject=0x20c) returned 1 [0096.205] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0096.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.206] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.206] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0096.206] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0096.206] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0096.206] CloseHandle (hObject=0x20c) returned 1 [0096.206] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0096.207] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.207] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0096.207] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0096.208] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0096.208] CloseHandle (hObject=0x20c) returned 1 [0096.208] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0096.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0096.209] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0096.209] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0096.209] CloseHandle (hObject=0x20c) returned 1 [0096.209] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0096.210] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.210] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.210] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0096.210] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0096.210] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0096.211] CloseHandle (hObject=0x20c) returned 1 [0096.211] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0096.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0096.211] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0096.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0096.212] CloseHandle (hObject=0x20c) returned 1 [0096.212] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0096.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0096.213] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0096.213] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0096.213] CloseHandle (hObject=0x20c) returned 1 [0096.213] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0096.214] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.214] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0096.214] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0096.215] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0096.215] CloseHandle (hObject=0x20c) returned 1 [0096.215] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0096.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0096.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0096.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0096.216] CloseHandle (hObject=0x20c) returned 1 [0096.216] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0096.217] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.217] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.217] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0096.217] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0096.218] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0096.218] CloseHandle (hObject=0x20c) returned 1 [0096.218] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0096.218] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.219] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0096.219] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0096.219] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0096.219] CloseHandle (hObject=0x20c) returned 1 [0096.219] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0096.220] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.220] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.220] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0096.220] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0096.221] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0096.221] CloseHandle (hObject=0x20c) returned 1 [0096.221] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0096.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0096.222] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0096.222] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0096.223] CloseHandle (hObject=0x20c) returned 1 [0096.223] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0096.224] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.224] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0096.224] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0096.224] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0096.225] CloseHandle (hObject=0x20c) returned 1 [0096.225] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0096.226] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.226] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.226] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0096.226] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0096.226] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0096.227] CloseHandle (hObject=0x20c) returned 1 [0096.227] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0096.228] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.228] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.228] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0096.228] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0096.229] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0096.229] CloseHandle (hObject=0x20c) returned 1 [0096.229] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0096.230] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.230] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.230] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0096.230] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0096.230] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0096.231] CloseHandle (hObject=0x20c) returned 1 [0096.231] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0096.232] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.232] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.232] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0096.232] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0096.232] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0096.299] CloseHandle (hObject=0x20c) returned 1 [0096.299] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0096.300] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.300] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.300] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0096.300] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0096.300] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0096.301] CloseHandle (hObject=0x20c) returned 1 [0096.301] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0096.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0096.302] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0096.302] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0096.302] CloseHandle (hObject=0x20c) returned 1 [0096.302] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0096.303] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.303] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.303] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0096.303] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0096.304] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0096.304] CloseHandle (hObject=0x20c) returned 1 [0096.304] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0096.305] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.305] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.305] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0096.305] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0096.305] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0096.306] CloseHandle (hObject=0x20c) returned 1 [0096.306] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0096.307] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.307] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.307] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0096.307] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0096.308] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0096.308] CloseHandle (hObject=0x20c) returned 1 [0096.308] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0096.309] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.309] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.309] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0096.309] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0096.309] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0096.309] CloseHandle (hObject=0x20c) returned 1 [0096.309] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0096.311] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.311] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.311] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0096.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0096.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0096.312] CloseHandle (hObject=0x20c) returned 1 [0096.312] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0096.313] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.313] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.313] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0096.313] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0096.313] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0096.313] CloseHandle (hObject=0x20c) returned 1 [0096.313] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0096.314] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.314] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.315] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0096.315] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0096.315] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0096.315] CloseHandle (hObject=0x20c) returned 1 [0096.315] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0096.316] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.316] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.316] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0096.316] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0096.317] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0096.317] CloseHandle (hObject=0x20c) returned 1 [0096.317] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0096.318] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.318] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.318] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0096.319] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0096.319] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0096.319] CloseHandle (hObject=0x20c) returned 1 [0096.319] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0096.320] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.321] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.321] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0096.321] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0096.321] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0096.321] CloseHandle (hObject=0x20c) returned 1 [0096.321] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0096.323] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.323] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.323] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0096.323] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0096.323] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0096.323] CloseHandle (hObject=0x20c) returned 1 [0096.324] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0096.325] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.325] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.325] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0096.325] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0096.325] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0096.326] CloseHandle (hObject=0x20c) returned 1 [0096.326] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0096.327] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.327] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.327] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0096.327] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0096.328] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0096.328] CloseHandle (hObject=0x20c) returned 1 [0096.328] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0096.329] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.329] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.329] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0096.329] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0096.329] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0096.330] CloseHandle (hObject=0x20c) returned 1 [0096.330] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0096.331] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.331] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.331] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0096.331] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0096.331] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0096.331] CloseHandle (hObject=0x20c) returned 1 [0096.331] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0096.332] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.332] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.332] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0096.333] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0096.333] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0096.333] CloseHandle (hObject=0x20c) returned 1 [0096.333] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0096.334] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.334] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.334] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0096.334] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0096.335] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0096.335] CloseHandle (hObject=0x20c) returned 1 [0096.335] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0096.336] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.336] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.336] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0096.336] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0096.336] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0096.336] CloseHandle (hObject=0x20c) returned 1 [0096.337] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0096.337] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.338] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.338] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0096.338] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0096.338] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0096.338] CloseHandle (hObject=0x20c) returned 1 [0096.338] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0096.339] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.339] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.339] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0096.339] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0096.340] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0096.340] CloseHandle (hObject=0x20c) returned 1 [0096.340] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0096.341] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.341] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.341] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0096.341] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0096.341] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0096.341] CloseHandle (hObject=0x20c) returned 1 [0096.341] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0096.408] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.408] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.408] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0096.408] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0096.408] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0096.409] CloseHandle (hObject=0x20c) returned 1 [0096.409] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0096.410] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.410] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.410] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0096.410] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0096.410] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0096.410] CloseHandle (hObject=0x20c) returned 1 [0096.410] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0096.411] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.412] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.412] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0096.412] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0096.412] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0096.412] CloseHandle (hObject=0x20c) returned 1 [0096.412] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0096.413] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.413] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.413] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0096.413] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0096.414] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0096.414] CloseHandle (hObject=0x20c) returned 1 [0096.414] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0096.415] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.415] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.415] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0096.415] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0096.415] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0096.416] CloseHandle (hObject=0x20c) returned 1 [0096.416] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0096.417] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.417] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.417] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0096.417] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0096.417] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0096.418] CloseHandle (hObject=0x20c) returned 1 [0096.418] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0096.419] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.419] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.419] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0096.419] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0096.420] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0096.420] CloseHandle (hObject=0x20c) returned 1 [0096.420] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0096.421] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.421] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.421] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0096.421] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0096.422] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0096.422] CloseHandle (hObject=0x20c) returned 1 [0096.422] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0096.423] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.423] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.423] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0096.424] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0096.424] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0096.424] CloseHandle (hObject=0x20c) returned 1 [0096.424] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0096.425] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.425] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.425] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0096.426] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0096.426] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0096.426] CloseHandle (hObject=0x20c) returned 1 [0096.426] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0096.427] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.427] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.427] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0096.427] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0096.428] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0096.428] CloseHandle (hObject=0x20c) returned 1 [0096.428] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0096.429] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.429] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.429] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0096.429] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0096.429] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0096.429] CloseHandle (hObject=0x20c) returned 1 [0096.429] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0096.430] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.430] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.430] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0096.431] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0096.431] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0096.431] CloseHandle (hObject=0x20c) returned 1 [0096.431] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0096.432] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.432] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.432] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0096.432] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0096.432] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0096.433] CloseHandle (hObject=0x20c) returned 1 [0096.433] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0096.433] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.433] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.434] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0096.434] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0096.434] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0096.434] CloseHandle (hObject=0x20c) returned 1 [0096.434] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0096.435] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.435] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.435] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0096.435] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0096.436] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0096.437] CloseHandle (hObject=0x20c) returned 1 [0096.437] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0096.438] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.438] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.438] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0096.438] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0096.438] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0096.438] CloseHandle (hObject=0x20c) returned 1 [0096.438] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0096.439] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.439] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0096.439] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0096.439] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0096.440] CloseHandle (hObject=0x20c) returned 1 [0096.440] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0096.440] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.441] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.441] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0096.441] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0096.441] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0096.441] CloseHandle (hObject=0x20c) returned 1 [0096.441] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0096.442] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.442] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.442] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0096.442] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0096.442] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0096.443] CloseHandle (hObject=0x20c) returned 1 [0096.443] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0096.443] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.444] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.444] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0096.444] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0096.444] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0096.444] CloseHandle (hObject=0x20c) returned 1 [0096.444] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0096.445] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.445] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.445] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0096.445] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0096.445] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0096.446] CloseHandle (hObject=0x20c) returned 1 [0096.446] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0096.446] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.446] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.447] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0096.447] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0096.447] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0096.447] CloseHandle (hObject=0x20c) returned 1 [0096.447] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0096.448] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.448] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.448] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0096.448] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0096.448] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0096.449] CloseHandle (hObject=0x20c) returned 1 [0096.449] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0096.450] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.450] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0096.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0096.450] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0096.450] CloseHandle (hObject=0x20c) returned 1 [0096.450] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0096.451] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.522] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.522] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0096.522] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0096.522] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0096.522] CloseHandle (hObject=0x20c) returned 1 [0096.522] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0096.523] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.523] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.523] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0096.524] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0096.524] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0096.524] CloseHandle (hObject=0x20c) returned 1 [0096.524] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0096.525] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.525] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.525] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0096.525] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0096.526] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0096.526] CloseHandle (hObject=0x20c) returned 1 [0096.526] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0096.527] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.527] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.527] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0096.527] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0096.527] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0096.527] CloseHandle (hObject=0x20c) returned 1 [0096.527] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0096.528] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.528] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.528] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0096.528] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0096.528] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0096.529] CloseHandle (hObject=0x20c) returned 1 [0096.529] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0096.529] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.530] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.530] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0096.530] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0096.530] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0096.531] CloseHandle (hObject=0x20c) returned 1 [0096.531] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0096.531] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.532] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.532] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0096.532] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0096.532] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0096.532] CloseHandle (hObject=0x20c) returned 1 [0096.532] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.533] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.533] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.533] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0096.533] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0096.533] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0096.533] CloseHandle (hObject=0x20c) returned 1 [0096.534] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0096.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.534] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.534] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0096.534] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0096.535] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0096.535] CloseHandle (hObject=0x20c) returned 1 [0096.535] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.535] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.536] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.536] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0096.536] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0096.536] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0096.536] CloseHandle (hObject=0x20c) returned 1 [0096.536] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0096.537] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.537] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.537] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0096.537] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0096.537] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0096.537] CloseHandle (hObject=0x20c) returned 1 [0096.537] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0096.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x20c [0096.538] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0096.539] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0096.539] CloseHandle (hObject=0x20c) returned 1 [0096.539] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0096.539] CloseHandle (hObject=0x208) returned 1 [0096.540] Sleep (dwMilliseconds=0x1) [0096.584] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0096.584] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e497e0, cbMultiByte=10, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="encsvc.exeeexelplussvc.exe") returned 10 [0096.585] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exe??", lpUsedDefaultChar=0x0) returned 10 [0096.585] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0096.586] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exec.exe??", lpUsedDefaultChar=0x0) returned 9 [0096.586] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0096.598] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0096.598] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.599] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.599] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0096.600] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exe", lpUsedDefaultChar=0x0) returned 10 [0096.600] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0096.600] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0096.601] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0096.601] GetLastError () returned 0x1f [0096.601] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0096.601] CloseHandle (hObject=0x20c) returned 1 [0096.659] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0096.660] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.660] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.660] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0096.660] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0096.661] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101843c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0096.661] CloseHandle (hObject=0x20c) returned 1 [0096.661] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.662] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.662] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.662] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0096.662] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0096.662] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.663] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.663] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0096.663] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0096.663] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0096.663] CloseHandle (hObject=0x20c) returned 1 [0096.663] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0096.664] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.664] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.664] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0096.664] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0096.665] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.665] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.665] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0096.665] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0096.665] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0096.665] CloseHandle (hObject=0x20c) returned 1 [0096.665] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0096.666] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.666] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.666] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0096.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0096.666] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0096.666] CloseHandle (hObject=0x20c) returned 1 [0096.666] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0096.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.667] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.667] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0096.667] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0096.667] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0096.668] CloseHandle (hObject=0x20c) returned 1 [0096.668] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0096.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.669] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.669] CloseHandle (hObject=0x20c) returned 1 [0096.669] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0096.670] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.670] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0096.671] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0096.671] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.671] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0096.671] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.672] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.672] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.672] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0096.672] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.672] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.673] CloseHandle (hObject=0x20c) returned 1 [0096.673] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0096.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0096.674] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.674] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0096.674] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.675] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.675] CloseHandle (hObject=0x20c) returned 1 [0096.675] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.675] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.676] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.676] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0096.676] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.676] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.676] CloseHandle (hObject=0x20c) returned 1 [0096.676] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.677] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.677] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.677] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0096.677] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.677] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.677] CloseHandle (hObject=0x20c) returned 1 [0096.677] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.678] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.678] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.678] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0096.678] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.678] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.679] CloseHandle (hObject=0x20c) returned 1 [0096.679] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.679] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.679] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.679] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0096.679] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.680] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.680] CloseHandle (hObject=0x20c) returned 1 [0096.680] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.680] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.681] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.681] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0096.681] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.681] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.681] CloseHandle (hObject=0x20c) returned 1 [0096.681] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.682] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.682] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.682] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0096.682] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.682] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.682] CloseHandle (hObject=0x20c) returned 1 [0096.683] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.683] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.683] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.683] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0096.683] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.684] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.684] CloseHandle (hObject=0x20c) returned 1 [0096.684] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.685] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.685] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.685] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0096.685] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.685] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.685] CloseHandle (hObject=0x20c) returned 1 [0096.685] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.686] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.686] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.686] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0096.686] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.686] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.687] CloseHandle (hObject=0x20c) returned 1 [0096.687] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.687] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.687] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.687] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0096.688] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.688] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.688] CloseHandle (hObject=0x20c) returned 1 [0096.688] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0096.689] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.689] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.689] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0096.689] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0096.689] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0096.689] CloseHandle (hObject=0x20c) returned 1 [0096.689] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0096.690] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.690] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.690] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0096.690] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0096.690] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0096.690] CloseHandle (hObject=0x20c) returned 1 [0096.691] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0096.691] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.691] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.691] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0096.691] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0096.691] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0096.692] CloseHandle (hObject=0x20c) returned 1 [0096.692] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.692] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.692] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.692] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0096.693] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.693] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.693] CloseHandle (hObject=0x20c) returned 1 [0096.693] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0096.694] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.694] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.694] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0096.694] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0096.694] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0096.694] CloseHandle (hObject=0x20c) returned 1 [0096.694] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0096.695] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.695] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.695] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0096.695] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0096.695] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101843c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0096.695] CloseHandle (hObject=0x20c) returned 1 [0096.696] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0096.696] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.696] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.696] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0096.696] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0096.697] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0096.697] CloseHandle (hObject=0x20c) returned 1 [0096.697] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0096.698] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.698] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.698] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0096.698] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0096.698] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0096.698] CloseHandle (hObject=0x20c) returned 1 [0096.698] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0096.699] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.699] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.699] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0096.699] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0096.699] GetLastError () returned 0x1f [0096.699] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0096.699] CloseHandle (hObject=0x20c) returned 1 [0096.765] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0096.766] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.766] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.767] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0096.767] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0096.767] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0096.767] CloseHandle (hObject=0x20c) returned 1 [0096.768] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0096.768] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.769] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.769] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0096.769] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0096.769] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0096.769] CloseHandle (hObject=0x20c) returned 1 [0096.770] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0096.770] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.771] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.771] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0096.771] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0096.771] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0096.771] CloseHandle (hObject=0x20c) returned 1 [0096.771] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0096.772] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.772] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.773] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0096.773] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0096.774] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.774] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.774] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0096.774] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0096.775] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.775] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.775] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0096.775] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.775] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0096.776] CloseHandle (hObject=0x20c) returned 1 [0096.776] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0096.776] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.776] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.776] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0096.777] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0096.777] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0096.777] CloseHandle (hObject=0x20c) returned 1 [0096.777] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0096.778] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.778] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.778] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0096.778] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0096.779] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.780] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.780] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0096.780] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0096.781] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0096.781] CloseHandle (hObject=0x20c) returned 1 [0096.781] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0096.782] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.782] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.782] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0096.782] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0096.783] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0096.783] CloseHandle (hObject=0x20c) returned 1 [0096.783] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0096.784] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.784] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.784] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0096.784] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0096.784] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0096.785] CloseHandle (hObject=0x20c) returned 1 [0096.785] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0096.786] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.786] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.786] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0096.786] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0096.786] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0096.786] CloseHandle (hObject=0x20c) returned 1 [0096.787] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0096.787] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.788] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.788] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0096.788] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0096.788] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0096.788] CloseHandle (hObject=0x20c) returned 1 [0096.788] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0096.789] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.789] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.789] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0096.790] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0096.790] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0096.790] CloseHandle (hObject=0x20c) returned 1 [0096.790] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0096.791] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.791] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.791] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0096.791] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0096.792] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0096.792] CloseHandle (hObject=0x20c) returned 1 [0096.792] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0096.793] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.793] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.793] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0096.793] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0096.794] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0096.794] CloseHandle (hObject=0x20c) returned 1 [0096.794] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0096.795] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.844] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.844] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0096.844] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0096.844] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0096.844] CloseHandle (hObject=0x20c) returned 1 [0096.845] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0096.845] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.846] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.846] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0096.846] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0096.846] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0096.846] CloseHandle (hObject=0x20c) returned 1 [0096.846] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0096.847] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.847] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.847] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0096.847] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0096.848] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0096.848] CloseHandle (hObject=0x20c) returned 1 [0096.848] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0096.849] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.849] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.849] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf00) returned 0x20c [0096.849] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0096.850] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\cambodia_alan.exe", lpdwSize=0x353fc90) returned 1 [0096.850] CloseHandle (hObject=0x20c) returned 1 [0096.850] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="powersellerauctions.exe")) returned 1 [0096.851] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.851] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.851] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4a4) returned 0x20c [0096.851] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0096.851] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\powersellerauctions.exe", lpdwSize=0x353fc90) returned 1 [0096.852] CloseHandle (hObject=0x20c) returned 1 [0096.852] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="supervisorswhats.exe")) returned 1 [0096.852] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.853] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.853] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf48) returned 0x20c [0096.853] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0096.853] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\supervisorswhats.exe", lpdwSize=0x353fc90) returned 1 [0096.853] CloseHandle (hObject=0x20c) returned 1 [0096.853] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="client-mathematical.exe")) returned 1 [0096.854] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.854] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.854] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf60) returned 0x20c [0096.854] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0096.855] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\client-mathematical.exe", lpdwSize=0x353fc90) returned 1 [0096.855] CloseHandle (hObject=0x20c) returned 1 [0096.855] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="azresolve.exe")) returned 1 [0096.856] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.856] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.856] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdcc) returned 0x20c [0096.856] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0096.856] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\azresolve.exe", lpdwSize=0x353fc90) returned 1 [0096.857] CloseHandle (hObject=0x20c) returned 1 [0096.857] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="shawscenic.exe")) returned 1 [0096.858] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.858] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.858] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x20c [0096.858] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0096.859] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\shawscenic.exe", lpdwSize=0x353fc90) returned 1 [0096.859] CloseHandle (hObject=0x20c) returned 1 [0096.859] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="illinois combo.exe")) returned 1 [0096.860] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.861] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.861] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x20c [0096.861] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0096.914] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Common Files\\illinois combo.exe", lpdwSize=0x353fc90) returned 1 [0096.914] CloseHandle (hObject=0x20c) returned 1 [0096.914] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dat_kenny_ladder.exe")) returned 1 [0096.916] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.916] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.916] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf18) returned 0x20c [0096.916] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0096.916] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\dat_kenny_ladder.exe", lpdwSize=0x353fc90) returned 1 [0096.917] CloseHandle (hObject=0x20c) returned 1 [0096.917] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="plasma.exe")) returned 1 [0096.918] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.918] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.918] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfb4) returned 0x20c [0096.918] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0096.919] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Defender\\plasma.exe", lpdwSize=0x353fc90) returned 1 [0096.919] CloseHandle (hObject=0x20c) returned 1 [0096.919] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0096.921] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.921] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.921] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb78) returned 0x20c [0096.921] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0096.921] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\3dftp.exe", lpdwSize=0x353fc90) returned 1 [0096.921] CloseHandle (hObject=0x20c) returned 1 [0096.921] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0096.923] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.923] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.923] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x20c [0096.923] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0096.923] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\absolutetelnet.exe", lpdwSize=0x353fc90) returned 1 [0096.924] CloseHandle (hObject=0x20c) returned 1 [0096.924] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0096.925] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.925] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.925] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xaf4) returned 0x20c [0096.925] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0096.926] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\alftp.exe", lpdwSize=0x353fc90) returned 1 [0096.926] CloseHandle (hObject=0x20c) returned 1 [0096.926] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0096.927] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.927] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.927] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xadc) returned 0x20c [0096.928] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0096.928] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\barca.exe", lpdwSize=0x353fc90) returned 1 [0096.928] CloseHandle (hObject=0x20c) returned 1 [0096.928] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0096.929] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.930] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.930] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7f0) returned 0x20c [0096.930] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0096.930] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\bitkinex.exe", lpdwSize=0x353fc90) returned 1 [0096.930] CloseHandle (hObject=0x20c) returned 1 [0096.930] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0096.932] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.932] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.932] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb08) returned 0x20c [0096.932] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0096.932] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Internet Explorer\\coreftp.exe", lpdwSize=0x353fc90) returned 1 [0096.933] CloseHandle (hObject=0x20c) returned 1 [0096.933] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0096.934] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.934] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.934] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf2c) returned 0x20c [0096.934] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0096.934] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\MSBuild\\far.exe", lpdwSize=0x353fc90) returned 1 [0096.935] CloseHandle (hObject=0x20c) returned 1 [0096.935] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0096.990] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.990] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.990] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x384) returned 0x20c [0096.990] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0096.990] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\filezilla.exe", lpdwSize=0x353fc90) returned 1 [0096.991] CloseHandle (hObject=0x20c) returned 1 [0096.991] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0096.992] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.992] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.992] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde0) returned 0x20c [0096.992] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0096.993] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\flashfxp.exe", lpdwSize=0x353fc90) returned 1 [0096.993] CloseHandle (hObject=0x20c) returned 1 [0096.993] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0096.994] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.994] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.995] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x790) returned 0x20c [0096.995] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0096.995] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\fling.exe", lpdwSize=0x353fc90) returned 1 [0096.995] CloseHandle (hObject=0x20c) returned 1 [0096.995] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0096.997] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.997] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.997] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc14) returned 0x20c [0096.997] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0096.997] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\foxmailincmail.exe", lpdwSize=0x353fc90) returned 1 [0096.997] CloseHandle (hObject=0x20c) returned 1 [0096.997] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0096.999] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0096.999] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0096.999] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x20c [0096.999] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0097.000] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\gmailnotifierpro.exe", lpdwSize=0x353fc90) returned 1 [0097.000] CloseHandle (hObject=0x20c) returned 1 [0097.000] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0097.001] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.002] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.002] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1010) returned 0x20c [0097.002] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0097.002] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\icq.exe", lpdwSize=0x353fc90) returned 1 [0097.002] CloseHandle (hObject=0x20c) returned 1 [0097.002] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0097.004] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1024) returned 0x20c [0097.004] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0097.004] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\leechftp.exe", lpdwSize=0x353fc90) returned 1 [0097.004] CloseHandle (hObject=0x20c) returned 1 [0097.004] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0097.006] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.006] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.006] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1038) returned 0x20c [0097.006] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0097.006] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\ncftp.exe", lpdwSize=0x353fc90) returned 1 [0097.006] CloseHandle (hObject=0x20c) returned 1 [0097.007] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0097.008] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.008] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.008] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x104c) returned 0x20c [0097.008] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0097.008] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0097.009] CloseHandle (hObject=0x20c) returned 1 [0097.009] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0097.010] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.010] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.010] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1060) returned 0x20c [0097.010] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0097.010] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\operamail.exe", lpdwSize=0x353fc90) returned 1 [0097.010] CloseHandle (hObject=0x20c) returned 1 [0097.010] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0097.011] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.011] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.011] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1074) returned 0x20c [0097.012] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0097.012] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\outlook.exe", lpdwSize=0x353fc90) returned 1 [0097.012] CloseHandle (hObject=0x20c) returned 1 [0097.012] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0097.013] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.013] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.013] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1088) returned 0x20c [0097.013] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0097.013] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\pidgin.exe", lpdwSize=0x353fc90) returned 1 [0097.014] CloseHandle (hObject=0x20c) returned 1 [0097.014] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0097.015] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.015] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.015] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x109c) returned 0x20c [0097.015] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0097.016] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\scriptftp.exe", lpdwSize=0x353fc90) returned 1 [0097.016] CloseHandle (hObject=0x20c) returned 1 [0097.016] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0097.017] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.017] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.017] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b0) returned 0x20c [0097.017] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0097.017] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\skype.exe", lpdwSize=0x353fc90) returned 1 [0097.017] CloseHandle (hObject=0x20c) returned 1 [0097.017] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0097.018] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.018] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.018] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10c4) returned 0x20c [0097.019] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0097.019] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x353fc90) returned 1 [0097.019] CloseHandle (hObject=0x20c) returned 1 [0097.019] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0097.020] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.020] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.020] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10d8) returned 0x20c [0097.020] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0097.021] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\thunderbird.exe", lpdwSize=0x353fc90) returned 1 [0097.021] CloseHandle (hObject=0x20c) returned 1 [0097.021] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0097.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.022] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.022] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10ec) returned 0x20c [0097.023] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0097.023] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\totalcmd.exe", lpdwSize=0x353fc90) returned 1 [0097.023] CloseHandle (hObject=0x20c) returned 1 [0097.023] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0097.024] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.025] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.025] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1100) returned 0x20c [0097.025] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0097.025] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\trillian.exe", lpdwSize=0x353fc90) returned 1 [0097.025] CloseHandle (hObject=0x20c) returned 1 [0097.025] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0097.026] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.027] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.027] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1114) returned 0x20c [0097.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0097.027] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\webdrive.exe", lpdwSize=0x353fc90) returned 1 [0097.027] CloseHandle (hObject=0x20c) returned 1 [0097.027] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0097.029] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.029] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.029] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1128) returned 0x20c [0097.029] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0097.084] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\whatsapp.exe", lpdwSize=0x353fc90) returned 1 [0097.084] CloseHandle (hObject=0x20c) returned 1 [0097.086] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exeexeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0097.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exepp.exeexeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.087] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x113c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0097.088] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.088] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x113c) returned 0x20c [0097.088] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0097.088] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\winscp.exe", lpdwSize=0x353fc90) returned 1 [0097.089] CloseHandle (hObject=0x20c) returned 1 [0097.090] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=10, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exexeexeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.091] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exe.exexeexeo.exeexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.091] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0097.092] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.092] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.092] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x20c [0097.092] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0097.093] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Media Player\\yahoomessenger.exe", lpdwSize=0x353fc90) returned 1 [0097.093] CloseHandle (hObject=0x20c) returned 1 [0097.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 18 [0097.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exeessenger.exexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.096] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0097.097] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x20c [0097.097] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0097.097] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\active-charge.exe", lpdwSize=0x353fc90) returned 1 [0097.098] CloseHandle (hObject=0x20c) returned 1 [0097.099] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=17, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 17 [0097.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exe-charge.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.101] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0097.102] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x20c [0097.102] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0097.102] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\accupos.exe", lpdwSize=0x353fc90) returned 1 [0097.102] CloseHandle (hObject=0x20c) returned 1 [0097.103] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="accupos.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accupos.exege.exeexeexens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0097.104] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0097.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x20c [0097.106] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0097.106] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\afr38.exe", lpdwSize=0x353fc90) returned 1 [0097.106] CloseHandle (hObject=0x20c) returned 1 [0097.107] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0097.108] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.108] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.108] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x20c [0097.108] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0097.109] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\aldelo.exe", lpdwSize=0x353fc90) returned 1 [0097.109] CloseHandle (hObject=0x20c) returned 1 [0097.109] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0097.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.110] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.110] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x20c [0097.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0097.110] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\ccv_server.exe", lpdwSize=0x353fc90) returned 1 [0097.110] CloseHandle (hObject=0x20c) returned 1 [0097.110] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0097.111] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.111] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.111] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x20c [0097.111] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0097.112] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\centralcreditcard.exe", lpdwSize=0x353fc90) returned 1 [0097.112] CloseHandle (hObject=0x20c) returned 1 [0097.112] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0097.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x20c [0097.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0097.113] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows NT\\creditservice.exe", lpdwSize=0x353fc90) returned 1 [0097.113] CloseHandle (hObject=0x20c) returned 1 [0097.113] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0097.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x20c [0097.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0097.115] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\edcsvr.exe", lpdwSize=0x353fc90) returned 1 [0097.115] CloseHandle (hObject=0x20c) returned 1 [0097.115] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0097.116] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.116] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.116] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x20c [0097.116] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0097.116] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Sidebar\\fpos.exe", lpdwSize=0x353fc90) returned 1 [0097.117] CloseHandle (hObject=0x20c) returned 1 [0097.117] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0097.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.118] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.118] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x20c [0097.118] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0097.118] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Java\\isspos.exe", lpdwSize=0x353fc90) returned 1 [0097.118] CloseHandle (hObject=0x20c) returned 1 [0097.118] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0097.119] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.119] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x20c [0097.119] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0097.120] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Adobe\\mxslipstream.exe", lpdwSize=0x353fc90) returned 1 [0097.120] CloseHandle (hObject=0x20c) returned 1 [0097.120] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0097.121] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.121] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.121] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x20c [0097.121] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0097.121] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Reference Assemblies\\omnipos.exe", lpdwSize=0x353fc90) returned 1 [0097.122] CloseHandle (hObject=0x20c) returned 1 [0097.122] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0097.122] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.123] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.123] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x20c [0097.123] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0097.178] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Uninstall Information\\spcwin.exe", lpdwSize=0x353fc90) returned 1 [0097.178] CloseHandle (hObject=0x20c) returned 1 [0097.178] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0097.179] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.179] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.179] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x20c [0097.179] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0097.180] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\spgagentservice.exe", lpdwSize=0x353fc90) returned 1 [0097.180] CloseHandle (hObject=0x20c) returned 1 [0097.180] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0097.181] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.181] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.181] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x20c [0097.181] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0097.181] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\utg2.exe", lpdwSize=0x353fc90) returned 1 [0097.182] CloseHandle (hObject=0x20c) returned 1 [0097.182] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="compare brown worth.exe")) returned 1 [0097.183] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.183] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.183] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x20c [0097.183] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0097.183] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\compare brown worth.exe", lpdwSize=0x353fc90) returned 1 [0097.183] CloseHandle (hObject=0x20c) returned 1 [0097.184] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="purchase.exe")) returned 1 [0097.184] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.185] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.185] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12a4) returned 0x20c [0097.185] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0097.185] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\purchase.exe", lpdwSize=0x353fc90) returned 1 [0097.186] CloseHandle (hObject=0x20c) returned 1 [0097.188] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="purchase.exe", cchWideChar=12, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="purchase.exen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0097.189] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exese.exen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.189] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="timothy.exe")) returned 1 [0097.190] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b8) returned 0x20c [0097.190] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0097.191] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\timothy.exe", lpdwSize=0x353fc90) returned 1 [0097.191] CloseHandle (hObject=0x20c) returned 1 [0097.192] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="timothy.exe", cchWideChar=11, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="timothy.exeen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0097.194] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exey.exeen worth.exens.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.194] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="across-camel-teachers.exe")) returned 1 [0097.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12cc) returned 0x20c [0097.195] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0097.196] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\UNP\\across-camel-teachers.exe", lpdwSize=0x353fc90) returned 1 [0097.196] CloseHandle (hObject=0x20c) returned 1 [0097.199] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="across-camel-teachers.exe", cchWideChar=25, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="across-camel-teachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 25 [0097.200] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exe-camel-teachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.200] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pst.exe")) returned 1 [0097.201] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12e0) returned 0x20c [0097.202] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0097.202] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\pst.exe", lpdwSize=0x353fc90) returned 1 [0097.202] CloseHandle (hObject=0x20c) returned 1 [0097.203] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="pst.exe", cchWideChar=7, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pst.execamel-teachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 7 [0097.204] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exeecamel-teachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0097.204] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0097.205] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13bc) returned 0x20c [0097.205] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0097.206] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0097.206] CloseHandle (hObject=0x20c) returned 1 [0097.208] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x353ec90, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exeteachers.exe.exe.exe", lpUsedDefaultChar=0x0) returned 13 [0097.208] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0097.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13cc) returned 0x20c [0097.210] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0097.210] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x353fc90) returned 1 [0097.210] CloseHandle (hObject=0x20c) returned 1 [0097.211] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0097.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.212] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13dc) returned 0x20c [0097.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0097.212] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0097.212] CloseHandle (hObject=0x20c) returned 1 [0097.212] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0097.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13e4) returned 0x20c [0097.213] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0097.213] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x353fc90) returned 1 [0097.214] CloseHandle (hObject=0x20c) returned 1 [0097.214] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0097.214] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.215] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.215] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13ec) returned 0x20c [0097.215] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0097.215] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0097.215] CloseHandle (hObject=0x20c) returned 1 [0097.215] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0097.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13f4) returned 0x20c [0097.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0097.216] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x353fc90) returned 1 [0097.216] CloseHandle (hObject=0x20c) returned 1 [0097.216] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1098, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0097.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1098) returned 0x20c [0097.302] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0097.303] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x353fc90) returned 1 [0097.303] CloseHandle (hObject=0x20c) returned 1 [0097.303] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0097.304] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.304] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.304] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xad4) returned 0x20c [0097.305] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0097.305] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0097.305] CloseHandle (hObject=0x20c) returned 1 [0097.305] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x13cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0097.306] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.306] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.306] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x608) returned 0x20c [0097.306] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0097.307] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x353fc90) returned 1 [0097.307] CloseHandle (hObject=0x20c) returned 1 [0097.307] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xaac, pcPriClassBase=8, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0097.308] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.308] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.308] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xda8) returned 0x20c [0097.308] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0097.308] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe", lpdwSize=0x353fc90) returned 1 [0097.308] CloseHandle (hObject=0x20c) returned 1 [0097.308] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xaac, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0097.309] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.309] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.309] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x378) returned 0x20c [0097.309] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0097.309] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101fc14, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x353fc90) returned 1 [0097.310] CloseHandle (hObject=0x20c) returned 1 [0097.310] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0097.310] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.310] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.311] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x20c [0097.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0097.311] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 1 [0097.311] CloseHandle (hObject=0x20c) returned 1 [0097.311] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdd0064, th32DefaultHeapID=0xff01, th32ModuleID=0x53fa9c, cntThreads=0x353fa9c, th32ParentProcessID=0x1031000, pcPriClassBase=32, dwFlags=0x48, szExeFile="????p")) returned 0 [0097.312] CloseHandle (hObject=0x208) returned 1 [0097.312] Sleep (dwMilliseconds=0x1) [0097.368] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x353fd2c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0097.368] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2e497f8, cbMultiByte=7, lpWideCharStr=0x353ee34, cchWideChar=2047 | out: lpWideCharStr="far.exeexeeexelplussvc.exe") returned 7 [0097.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x353eca8, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exexe", lpUsedDefaultChar=0x0) returned 7 [0097.369] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x353fa9c, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\csrss.exe")) returned 0x3b [0097.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x353eca4, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exexexe", lpUsedDefaultChar=0x0) returned 9 [0097.370] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0097.386] Process32First (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0097.387] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.387] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.387] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0097.388] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x353ec8c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe\x03\x09", lpUsedDefaultChar=0x0) returned 7 [0097.388] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0097.404] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.404] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.404] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x20c [0097.404] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0097.404] GetLastError () returned 0x1f [0097.405] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x353fc90) returned 0 [0097.405] CloseHandle (hObject=0x20c) returned 1 [0097.417] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0097.418] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.418] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.418] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x20c [0097.418] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0097.418] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x353fc90) returned 1 [0097.419] CloseHandle (hObject=0x20c) returned 1 [0097.419] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0097.420] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.519] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.519] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0097.519] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0097.520] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.520] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.520] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x20c [0097.521] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0097.521] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x353fc90) returned 1 [0097.521] CloseHandle (hObject=0x20c) returned 1 [0097.521] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0097.522] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.522] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.522] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0097.522] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0097.523] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.523] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.523] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x20c [0097.523] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0097.523] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x353fc90) returned 1 [0097.523] CloseHandle (hObject=0x20c) returned 1 [0097.524] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0097.524] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.524] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.524] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x20c [0097.524] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0097.525] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x353fc90) returned 1 [0097.525] CloseHandle (hObject=0x20c) returned 1 [0097.525] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0097.526] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.526] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.526] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x20c [0097.526] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0097.526] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101843c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x353fc90) returned 1 [0097.526] CloseHandle (hObject=0x20c) returned 1 [0097.526] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.527] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.527] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.527] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x20c [0097.527] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.527] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.528] CloseHandle (hObject=0x20c) returned 1 [0097.528] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0097.528] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.528] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.528] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0097.528] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0097.529] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.529] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.530] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0097.530] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.530] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.530] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.531] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x20c [0097.531] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.531] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.531] CloseHandle (hObject=0x20c) returned 1 [0097.531] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0097.532] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.532] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.532] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0097.532] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.533] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.533] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.533] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x20c [0097.533] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.534] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.534] CloseHandle (hObject=0x20c) returned 1 [0097.534] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.535] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.535] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x20c [0097.535] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.536] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.536] CloseHandle (hObject=0x20c) returned 1 [0097.536] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.537] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.537] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.537] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x20c [0097.537] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.537] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.537] CloseHandle (hObject=0x20c) returned 1 [0097.537] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x20c [0097.538] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.538] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.539] CloseHandle (hObject=0x20c) returned 1 [0097.539] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.539] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.539] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.539] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x20c [0097.539] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.540] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.540] CloseHandle (hObject=0x20c) returned 1 [0097.540] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.540] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.541] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.541] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x20c [0097.541] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.541] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.541] CloseHandle (hObject=0x20c) returned 1 [0097.541] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.542] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.542] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.542] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x20c [0097.542] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.542] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.542] CloseHandle (hObject=0x20c) returned 1 [0097.542] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.543] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.543] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.543] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x20c [0097.543] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.543] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.544] CloseHandle (hObject=0x20c) returned 1 [0097.544] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.544] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.544] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.544] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x20c [0097.544] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.545] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.545] CloseHandle (hObject=0x20c) returned 1 [0097.545] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.546] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.546] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.546] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x20c [0097.546] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.546] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.546] CloseHandle (hObject=0x20c) returned 1 [0097.546] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.547] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.547] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.547] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x20c [0097.547] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.547] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.547] CloseHandle (hObject=0x20c) returned 1 [0097.548] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0097.548] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.548] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.548] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x20c [0097.548] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0097.549] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x353fc90) returned 1 [0097.549] CloseHandle (hObject=0x20c) returned 1 [0097.549] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0097.550] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.550] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.550] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x20c [0097.550] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0097.550] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x353fc90) returned 1 [0097.550] CloseHandle (hObject=0x20c) returned 1 [0097.551] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0097.551] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.551] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.551] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x20c [0097.551] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0097.552] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x353fc90) returned 1 [0097.552] CloseHandle (hObject=0x20c) returned 1 [0097.552] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.553] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.553] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.553] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x20c [0097.553] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.553] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.553] CloseHandle (hObject=0x20c) returned 1 [0097.553] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0097.554] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.554] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.554] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x20c [0097.554] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0097.554] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x353fc90) returned 1 [0097.554] CloseHandle (hObject=0x20c) returned 1 [0097.554] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0097.555] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.555] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.555] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x20c [0097.555] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0097.555] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x10185fc, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x353fc90) returned 1 [0097.556] CloseHandle (hObject=0x20c) returned 1 [0097.556] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0097.556] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.556] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.556] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x20c [0097.557] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0097.557] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x353fc90) returned 1 [0097.557] CloseHandle (hObject=0x20c) returned 1 [0097.557] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0097.558] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.558] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.558] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x20c [0097.558] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0097.558] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 1 [0097.558] CloseHandle (hObject=0x20c) returned 1 [0097.558] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0097.559] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.559] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.559] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x20c [0097.559] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0097.559] GetLastError () returned 0x1f [0097.559] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x353fc90) returned 0 [0097.559] CloseHandle (hObject=0x20c) returned 1 [0097.627] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0097.628] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.628] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.628] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x20c [0097.628] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f44c, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0097.628] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x353fc90) returned 1 [0097.629] CloseHandle (hObject=0x20c) returned 1 [0097.629] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0097.630] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.630] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.630] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x20c [0097.630] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0097.630] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x353fc90) returned 1 [0097.630] CloseHandle (hObject=0x20c) returned 1 [0097.631] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0097.631] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.632] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.632] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x20c [0097.632] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0097.632] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x353fc90) returned 1 [0097.632] CloseHandle (hObject=0x20c) returned 1 [0097.632] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0097.633] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.633] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.633] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0097.634] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0097.634] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.634] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.634] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0097.634] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.635] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.635] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.635] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x20c [0097.635] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.635] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x353fc90) returned 1 [0097.636] CloseHandle (hObject=0x20c) returned 1 [0097.636] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0097.636] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.636] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.637] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdec) returned 0x20c [0097.637] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0097.637] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x353fc90) returned 1 [0097.637] CloseHandle (hObject=0x20c) returned 1 [0097.637] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SppExtComObj.Exe")) returned 1 [0097.638] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.638] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.638] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x0 [0097.638] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="manufacturers.exe")) returned 1 [0097.639] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.639] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.639] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb14) returned 0x20c [0097.639] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0097.639] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\manufacturers.exe", lpdwSize=0x353fc90) returned 1 [0097.640] CloseHandle (hObject=0x20c) returned 1 [0097.640] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="posters struggle.exe")) returned 1 [0097.640] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.640] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.640] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb00) returned 0x20c [0097.641] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0097.641] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office\\posters struggle.exe", lpdwSize=0x353fc90) returned 1 [0097.641] CloseHandle (hObject=0x20c) returned 1 [0097.641] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x650, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="dnsreliablemovie.exe")) returned 1 [0097.642] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.642] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.642] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x650) returned 0x20c [0097.642] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0097.642] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\dnsreliablemovie.exe", lpdwSize=0x353fc90) returned 1 [0097.643] CloseHandle (hObject=0x20c) returned 1 [0097.643] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="uristackaluminum.exe")) returned 1 [0097.643] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.644] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.644] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf8) returned 0x20c [0097.644] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0097.644] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\uristackaluminum.exe", lpdwSize=0x353fc90) returned 1 [0097.644] CloseHandle (hObject=0x20c) returned 1 [0097.644] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="freedom.exe")) returned 1 [0097.645] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.645] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.645] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8a0) returned 0x20c [0097.645] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0097.645] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Microsoft Office\\freedom.exe", lpdwSize=0x353fc90) returned 1 [0097.646] CloseHandle (hObject=0x20c) returned 1 [0097.646] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="discussion complement stretch.exe")) returned 1 [0097.646] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.646] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.647] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x20c [0097.647] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0097.647] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d3a4, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\discussion complement stretch.exe", lpdwSize=0x353fc90) returned 1 [0097.647] CloseHandle (hObject=0x20c) returned 1 [0097.647] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="grantsfillingraises.exe")) returned 1 [0097.648] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.648] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.648] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe34) returned 0x20c [0097.648] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0097.648] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100b1ec, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Mail\\grantsfillingraises.exe", lpdwSize=0x353fc90) returned 1 [0097.648] CloseHandle (hObject=0x20c) returned 1 [0097.648] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="confused-periodic-returns.exe")) returned 1 [0097.649] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.649] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.649] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xc98) returned 0x20c [0097.649] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0097.649] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\confused-periodic-returns.exe", lpdwSize=0x353fc90) returned 1 [0097.650] CloseHandle (hObject=0x20c) returned 1 [0097.650] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="song_vinyl_yours.exe")) returned 1 [0097.650] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.650] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.650] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf34) returned 0x20c [0097.651] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0097.651] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\rempl\\song_vinyl_yours.exe", lpdwSize=0x353fc90) returned 1 [0097.651] CloseHandle (hObject=0x20c) returned 1 [0097.651] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="palmer-bugs.exe")) returned 1 [0097.652] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.652] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.652] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xee8) returned 0x20c [0097.652] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0097.652] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f664, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\palmer-bugs.exe", lpdwSize=0x353fc90) returned 1 [0097.652] CloseHandle (hObject=0x20c) returned 1 [0097.652] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="unlikely.exe")) returned 1 [0097.653] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0097.653] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0097.653] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa90) returned 0x20c [0097.653] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x101f234, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0097.653] QueryFullProcessImageNameW (in: hProcess=0x20c, dwFlags=0x0, lpExeName=0x100d224, lpdwSize=0x353fc90 | out: lpExeName="C:\\Program Files\\Windows Security\\unlikely.exe", lpdwSize=0x353fc90) returned 1 [0097.653] CloseHandle (hObject=0x20c) returned 1 [0097.653] Process32Next (in: hSnapshot=0x208, lppe=0x353fd0c | out: lppe=0x353fd0c*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="cambodia_alan.exe")) returned 1 [0097.654] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 Process: id = "4" image_name = "notepad.exe" filename = "c:\\windows\\syswow64\\notepad.exe" page_root = "0x19417000" os_pid = "0x378" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaac" cmd_line = "notepad.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0xfa8 Thread: id = 29 os_tid = 0x474 Thread: id = 30 os_tid = 0xe88